SHA-3 is KECCAK

[John Colvin]

On Tuesday, 21 January 2014 at 09:58:34 UTC, Uranuz wrote:
> I don't feel myself confident about crypto and security 
> questions, but I need to make password hashing and generating 
> of session Id. And make it difficult to pick up password with 
> bruto force or dictional with single "usual" computer. I'm 
> slightly disappointed that then more I read different articles 
> on IT forums then less I understand something. And there are 
> several opposite ideas that stunning me.
>  1. All security systems, cipher, etc can be hacked If someone 
> wants it
>  2. Do not reinvent the wheel. All have been invented already.
>  3. If you use standart implementation it's high risk than it 
> was cracked already.
>  4. Is it really essential to someone tho crack you security.
>
> About md5 I have read that it's already cracked. It's 
> vulnerable to length extension attack. As I feel SHA 2 is 
> better (but it's not my opinion - it's just subjective 
> feeling). And may be more modern algorithm isn't hacked until 
> now. Higher variety of standart implemented hash algorithms can 
> enable to combine them in different manner to get not standart 
> implementation of hash. As I think it can increse security 
> against attacks with rainbow tables.
>
> I don't know if I rigth or not. The reason why I asked is that 
> I'm implenenting authentication on site written in D. So I want 
> to make password hash generation function enough secure to 
> forget about it for ~5 years or more. Because there only a 
> litle of hash functions implemented in std.digest and they are 
> not so strong by security reasons. It makes it not very useful.
>
> P.S. Sorry for my English.

I don't have any significant expertise on this subject, but I did 
find this highly rated article useful and interesting: 
http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right

Note that it recommends against md5