SHA-3 is KECCAK

[Kagamin]

On Tuesday, 21 January 2014 at 09:58:34 UTC, Uranuz wrote:
> I don't feel myself confident about crypto and security 
> questions, but I need to make password hashing and generating 
> of session Id. And make it difficult to pick up password with 
> bruto force or dictional with single "usual" computer.

The article linked by John Colvin is comprehensive enough to give 
you understanding of the problem, if outlines all mistakes in 
password hashing schemes and how to solve them properly. The 
dictionary attack is the most dangerous, as indicated by the 
article, slow hash like bcrypt can be of some help, it may win 
you a little time, but that time can be enough for the 
administrator to lock the system. Slow hash makes brute force 
slower, because it has to compute hash a lot. So for password 
hashing there's no reason to choose md5, because it's the fastest 
:)
There's no reason to implement bcrypt on your own (like 
repetitive hashing), because it should be well optimized in order 
to not let the attacker to compute the hash faster by a more 
optimal implementation.
Keyed hash is a very strong protection if you keep the key 
secret. The task of protecting the key is more administrative 
than cryptographic. If the attacker can't retrieve the key, he 
can only brute force the password remotely on your system, but 
since he will use your code, you have the chance to detect the 
attack. What to do once you detected it is up to you.
Another possibility to consider is two-factor authentication for 
the case when the password is indeed stolen.

> About md5 I have read that it's already cracked. It's 
> vulnerable to length extension attack.

The length extension attack is used against digital signatures, 
it's useless against password hashing (that's why it's not 
considered in the article). The attack is prevented by prepending 
salt instead of appending.