On the 2nd of October NIST decided that SHA-3 is the new standard hashing algorithm.
Should MD5 users start migrating to SHA-3? To something else (see below why SHA-3 is not recommended)? bcrypt?
Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?
And, is this really critical? Even if your password is salted?
The main reason not to use MD5 for hashing passwords is not the fact that MD5 is severely compromised or even considered broken.
It’s true, MD5 has known vulnerabilities. But none of them do pose a serious threat to your use of MD5. Because in your case the only threat would be a preimage attack where an attacker would try to find a preimage of a known hash, e.g. the password to a known (salted) password hash. And the probably known preimage attack against MD5 is only theoretical and lowers the effort from 2128 to 2123.4, which is no big advantage. A brute-force attack with an average of 264 is still more promising.
No, the main reason not to use MD5 is because MD5 is too fast. With a todays affordable computer you can generate and test 7190M MD5 hashes per second. All 8 characters long combinations of alphanumeric characters can be brute-forced in about 8.5 hours, no matter whether with or without salt.
In contrast to that, with the hash function like bcrypt $2a$ one can only generate and test 4085 hashes per second, so only 0.00005682 % of the number of MD5 hashes. With bcrypt $2a$ you would need 1694 years for the same attempt.
来源:https://stackoverflow.com/questions/12804551/im-using-md5-to-hash-passwords-when-should-i-jump-to-the-next-thing-sha-3