These days most people still use SHA1 or even MD5, broken or not. Because the current state of the art in hashing is that we have some functions that we know have theoretical vulnerabilities but no really practical breaks, and some unproven functions that we know very little about at all.

这些天大多数人仍然使用SHA1甚至MD5,无论是否破碎。因为哈希的当前技术水平是我们有一些功能,我们知道它们具有理论上的漏洞但没有真正的实际中断,以及一些我们根本不了解的未经验证的功能。

If you're using a hash function for password storage, the theoretical vulnerabilities probably don't matter to you. Firstly because the nature of the vulnerabilities doesn't really help in reversing passwords. Secondly because if you care about security that much, you probably wouldn't be using passwords.

如果您使用哈希函数进行密码存储,理论上的漏洞可能对您无关紧要。首先是因为漏洞的性质并没有真正帮助扭转密码。其次,因为如果您非常关心安全性,那么您可能不会使用密码。

Where it will matter more is if you are using digital signature, SSL, IPSEC, etc, which all rely on hash functions, and if you need the hash function to remain secure for a long time. However here you have little choice but to wait and see which hash function(s) become the new proven standard, and/or use more than one hash function if you can.

更重要的是,如果您使用数字签名,SSL,IPSEC等,它们都依赖于散列函数,并且如果您需要散列函数以保持长时间的安全性。但是在这里你别无选择,只能等待,看看哪些哈希函数成为新的经过验证的标准,和/或如果可以的话,使用多个哈希函数。

Even then, this is way down on the list of threats in the big picture. Security problems in your system are far more likely to be in your own code, or people threats, than somebody attacking your hash function!

即便如此,这仍然是大局势中的威胁列表。您的系统中的安全问题比攻击您的哈希函数的人更有可能出现在您自己的代码或人员威胁中!

Still, if designing a new system, the advice to design it so you can replace any of your crypto algorithms at any time remains valuable. Ideally via configuration / plugin, and not a recompile.

尽管如此,如果设计一个新系统,设计它的建议,以便您可以随时替换任何加密算法仍然是有价值的。理想情况下,通过配置/插件,而不是重新编译。

I use the Whirlpool hash. However... you must not rely on hashing to protect passwords. If you're storing a password in a database, always use a decent salt (which helps prevent rainbow table attacks and collisions).

我使用Whirlpool哈希。但是......你不能依赖哈希来保护密码。如果您在数据库中存储密码,请始终使用合适的盐(这有助于防止彩虹表攻击和冲突)。

And follow other appropriate security guidelines for your platform :)

并遵循适用于您的平台的其他适当安全准则:)

It depends on what I am using the hash for... Security? File change detection? Find duplicates files?

这取决于我使用哈希...安全性?文件更改检测?查找重复文件?

I assume from the way the question was asked the former is the reason you are using hashes. In which case I would recommend not using a "broken" method.

我从问题的方式假设前者是你使用哈希的原因。在这种情况下,我建议不要使用“破碎”方法。

If non security uses are the case (i.e. finding duplicate files), MD5 works fine and is quicker.

如果是非安全用途(即查找重复文件),MD5工作正常并且更快。

There are others like SHA-256 or RIPEMD-160 or even one of the SHA-3 candidates (see list here for you to choose. Bear always in mind that these have not been as toroughly tested and analyzed as MD4/5 and SHA-1. This has also a cost in terms of performance of course.

还有其他像SHA-256或RIPEMD-160,甚至是其中一个SHA-3候选者(请参阅此处的列表供您选择。请记住,这些并没有像MD4 / 5和SHA那样进行过彻底的测试和分析。当然,这在性能方面也有成本。

One answer to your question would be to use two of them, hopefully different enough that breaking one does not break the other. The odds against both being broken enough to fake two checksums is pretty abyssal IMHO.

你的问题的一个答案是使用其中两个,希望有足够的不同,打破一个不会破坏另一个。两个被打破足以伪造两个校验和的几率是相当深奥的恕我直言。

If security is your concern, it's better to avoid "broken" hash functions. What you said may be true for some hash functions that are just broken by researchers, but a real world attack can soon surface by using new insights gained through the research work.

如果您担心安全性,最好避免“破坏”哈希函数。对于一些刚刚被研究人员打破的哈希函数,你所说的可能是真的,但是通过使用通过研究工作获得的新见解,现实世界的攻击很快就会浮出水面。

For example, collisions of MD5 can now be found very quickly (I think wikipedia mentioned a method that can do it within minutes but correct me if I'm wrong).

例如,现在可以很快找到MD5的碰撞(我认为维基百科提到了一种方法,可以在几分钟内完成,但如果我错了就纠正我)。

You don't want to re-compute all your hash/signature for tons of things you have already computed in case that happens.

如果发生这种情况,您不希望为已经计算过的大量事物重新计算所有哈希/签名。

As I understand it the broken part of MD5 is that someone with the original text is now able to easily construct a second text that has the same MD5 digest.

据我了解,MD5的破碎部分是原始文本的人现在能够轻松构建具有相同MD5摘要的第二个文本。

It's still not possible for someone who only has the MD5 digest of that original text to construct a second text that matches it.

仅具有该原始文本的MD5摘要的人仍然不可能构建与其匹配的第二文本。

This is also discussed at https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords and https://security.stackexchange.com/questions/56397/which-hashing-algorithm-is-ideal-for-use-on-the-web

这也在https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords和https://security.stackexchange.com/questions/56397/which-hashing-algorithm-is中讨论过。 - 理想换的use-on-THE-网

TL;DR:

• if you hash passwords, you need something slow, like bcrypt.

如果你对密码进行哈希处理,你需要一些缓慢的东西,比如bcrypt。

• otherwise, SHA-256 seems the way to go.

否则,SHA-256似乎还有很长的路要走。