There are several weaknesses in your scheme. Actually you encrypt the password and throw away the key.
- You take only 5 (base64 encoded) characters as the key, so an
attacker needs about 1 Giga tries to crack the hash in the database
(for comparison, everybody can crack 8 Giga MD5 hashes per second).
This cracked database-hash can then be brute forced with the
md5(md5($pass) . $user)
scheme, which is also ways too fast. - Since you do not add a random salt in the MD5 part, an attacker could prepare rainbow-tables for specific accounts like user "admin", then the only protection is the weak encryption part.
Actually there is no advantage over the standard way with the password_hash() function. This function will produce a BCrypt hash, and the cost factor determines the needed time for calculation to thwart brute-force attacks.