Yep, pretty much D-Jester. One collision in 2**69 operations... that's quite minimal. Sure, for signatures, it means that you can't trust the algorithm 100% anymore. But for storing passwords, and other operations where collisions are not important, it doesn't matter much, even if there's another password that can generate the same hash, you still need to brute-force it.