In the past, many cryptographic hash algorithms were proposed and used by software developers. Some of them was broken (like MD5 and SHA1), some are still considered secure (like SHA-2, SHA-3 and BLAKE2). Let's review the most widely used cryptographic hash functions (algorithms).
Secure Hash Functions
Modern cryptographic hash algorithms (like SHA-3 and BLAKE2) are considered secure enough for most applications.
SHA-2, SHA-256, SHA-512
SHA-2 is a family of strong cryptographic hash functions: SHA-256 (256 bits hash), SHA-384 (384 bits hash), SHA-512 (512 bits hash), etc. It is based on the cryptographic concept "Merkle–Damgård construction" and is considered highly secure. SHA-2 is published as official crypto standard in the United States.
SHA-2 is widely used by developers and in cryptography and is considered cryptographically strong enough for modern commercial applications.
SHA-256 is widely used in the Bitcoin blockchain, e.g. for identifying the transaction hashes and for the proof-of-work mining performed by the miners.
By design, more bits at the hash output are expected to achieve stronger security and higher collision resistance (with some exceptions). As general rule, 128-bit hash functions are weaker than 256-bit hash functions, which are weaker than 512-bit hash functions.
Thus, SHA-512 is stronger than SHA-256, so we can expect that for SHA-512 it is more unlikely to practically find a collision than for SHA-256.
SHA-3, SHA3-256, SHA3-512, Keccak-256
SHA-3 (and its variants SHA3-224, SHA3-256, SHA3-384, SHA3-512), is considered more secure than SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512) for the same hash length. For example, SHA3-256 provides more cryptographic strength than SHA-256 for the same hash length (256 bits).
The SHA-3 family of functions are representatives of the "Keccak" hashes family, which are based on the cryptographic concept "sponge construction". Keccak is the winner of the SHA-3 NIST competition.
Unlike SHA-2, the SHA-3 family of cryptographic hash functions are not vulnerable to the "length extension attack".
SHA-3 is considered highly secure and is published as official recommended crypto standard in the United States.
The hash function Keccak-256, which is used in the Ethereum blockchain, is a variant of SHA3-256 with some constants changed in the code.
The hash functions SHAKE128(msg, length) and SHAKE256(msg, length) are variants of the SHA3-256 and SHA3-512 algorithms, where the output message length can vary.
[BLAKE](https://en.wikipedia.org/wiki/BLAKE_%28hash_function) / BLAKE2 / BLAKE2s / BLAKE2b is a family of fast, highly secure cryptographic hash functions, providing calculation of 160-bit, 224-bit, 256-bit, 384-bit and 512-bit digest sizes, widely used in modern cryptography. BLAKE is one of the finalists at the SHA-3 NIST competition.
The BLAKE2 function is an improved version of BLAKE.
BLAKE2s (typically 256-bit) is BLAKE2 implementation, performance-optimized for 32-bit microprocessors.
BLAKE2b (typically 512-bit) is BLAKE2 implementation, performance-optimized for 64-bit microprocessors.
The BLAKE2 hash function has similar security strength like SHA-3, but is less used by developers than SHA2 and SHA3.
RIPEMD-160 is a secure hash function, widely used in cryptography, e.g. in PGP and Bitcoin.
The 160-bit variant of RIPEMD is widely used in practice, while the other variations like RIPEMD-128, RIPEMD-256 and RIPEMD-320 are not popular and have disputable security strengths.
As recommendation, prefer using SHA-2 and SHA-3 instead of RIPEMD, because they are more stronger than RIPEMD, due to higher bit length and less chance for collisions.
All of the above popular secure hash functions (SHA-2, SHA-3, BLAKE2, RIPEMD) are not restricted by commercial patents and are free for public use.
Insecure Hash Functions
Old hash algorithms like MD5, SHA-0 and SHA-1 are considered insecure and were withdrawn due to cryptographic weaknesses (collisions found). Don't use MD5, SHA-0 and SHA-1! All these hash functions are proven to be cryptographically insecure.
You can find in Internet that SHA1 collisions can be practically generated and this results in algorithms for creating fake digital signatures, demonstrated by two different signed PDF documents which hold different content, but have the same hash value and the same digital signature. See https://shattered.io.
Avoid using of the following hash algorithms, which are considered insecure or have disputable security: MD2, MD4, MD5, SHA-0, SHA-1, Panama, HAVAL (disputable security, collisions found for HAVAL-128), Tiger (disputable, weaknesses found), SipHash (it is not a cryptographic hash function).
Other Secure Hash Functions
The below functions are popular strong cryptographic hash functions, alternatives to SHA-2, SHA-3 and BLAKE2:
Whirlpool is secure cryptographic hash function, which produces 512-bit hashes.
SM3 is the crypto hash function, officialy standartized by the Chinese government. It is similar to SHA-256 (based on the Merkle–Damgård construction) and produces 256-bit hashes.
GOST (GOST R 34.11-94) is secure cryptographic hash function, the Russian national standard, described in RFC 4357. It produces 256-bit hashes.
The below functions are less popular alternatives to SHA-2, SHA-3 and BLAKE, finalists at the SHA-3 NIST competition:
Skein is secure cryptographic hash function, capable to derive 128, 160, 224, 256, 384, 512 and 1024-bit hashes.
Grøstl is secure cryptographic hash function, capable to derive 224, 256, 384 and 512-bit hashes.
JH is secure cryptographic hash function, capable to derive 224, 256, 384 and 512-bit hashes.
No Collisions for SHA-256, SHA3-256, BLAKE2s and RIPEMD-160 are Known
As of Oct 2018, no collisions are known for: SHA256, SHA3-256, Keccak-256, BLAKE2s, RIPEMD160 and few others.
Brute forcing to find hash function collision as general costs: 2128 for SHA256 / SHA3-256 and 280 for RIPEMD160.
Respectively, on a powerful enough quantum computer, it will cost less time: 2256/3 and 2160/3 respectively. Still (as of September 2018) so powerful quantum computers are not known to exist.