Corrections: Random collisions for MD5 start to become frequent when you have around 2^64 digests, which is the square root of the cardinality of MD5's output space, not 2^127, which is half the cardinality of MD5's output space. To provide k bits of security against random collisions, you need a cryptographic hash function providing 2k bits of output, not k+1 bits of output. Cryptographic hashes functions are usually designed to be as fast as possible across a wide variety of currently-in-use hardware, including servers, desktops/laptops, handheld devices, and embedded chips. A password hashing function has the unusual requirement that it should be very slow to compute in addition to it being a good cryptographic hash function. However, most other uses of cryptographic hash functions - such as (1) HTTPS (2) the ETag header in HTTP responses (3) the session-cookie signing in every Rails application - require an extremely fast function and have no use for a slow hash function.