How long should I wait before choosing a hash function?

How long should I wait before using a newer (hopefully improved) hash function?

The better question to ask is: "How long should I wait before switching off my current hash". What are you on now? If your data is protected with MD5 or SHA1 then please switch. Please switch now. If you're already on something that's believed to be unbroken, then you have no reason to "upgrade".

The general rule with crypto is to assume everything will be broken eventually, so pick something that's not known to be broken at the time, and have a plan in place to switch your data over to a new algorithm in a hurry if an attack does get published.

At the time of writing, the following are all perfectly acceptable, not known to be broken, hash functions / key derivation functions:

  • BLAKE, SHA2, SHA3, ... , bcrypt, scrypt, PBKDF2, argon2, ...

Choose the one that best fits your application.


Is SHA-3 ready for use because of extra testing that went on during the NIST competition?

If NIST has standardized it (which they have in FIPS-202), then it's ready for use!

As @RoryAlsop said, beware that if you need your data to be compatible with multiple pieces of software, then be aware of compatibility issues; just because SHA3's been standardized for two years, doesn't mean that it's been widely adopted.


One final note, reading between the lines, you seem to be implying that SHA3 is a "a newer (hopefully improved) hash function". I want to correct this.

While it is newer, it is not "better" than SHA2, in fact SHA3 offers exactly the same security levels as SHA2. NIST launched the SHA3 competition not because they wanted to "improve" on SHA2, but because they were uncomfortable with the "all your eggs in one basket" nature of only having one approved hash algorithm. That's not to say there's anything wrong with SHA2, but if something does come up, they want to have a migration path at the ready.


SHA3 for password hashing.

Bad idea. SHA3 is ideal for file hashing (because it's fast), but it would actually be considered a weakness to use it for password hashing (because it's fast).

See NIST SP-800-63b:

Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack.

SHA3 is designed to be efficient, it is neither slow (time-hard) nor big (memory-hard).

PBKDF2 and Balloon are schemes that wrap around a standard hash function to make it time-hard / memory-hard, respectively. So if you only wanted to support one hashing primitive in, say, your embedded hardware device, you can wrap PBKDF2 / Balloon around SHA3 and still have FIPS-certified crypto, but please don't use naked SHA3 on passwords.