Unless my math is off, the combined power of the bitcoin network could find collisions in seconds (ignoring SHA-1 vs SHA-256). It isn't too unreasonable to assume that kind of hardware power would be available to nation states.
And the next fifteen years of Moore's Law will take that down to, what, 1 GPU month even without further algorithmic improvements? Which are anticipated?
I still see things that use 2-digit years, twenty years after the last millennium bug should have been fixed.
"Next fifteen years of Moore's Law?" The recent failure of Intel's "tick-tock" alternation of process shrinkage and new architecture suggests that however performance improves in the next 15 years, projecting the last 15 years' Moore's Law forward is a bad idea. For crypto stuff, I'd think about how quantum computing may advance by the 2030s.
[3] Google spent 6500 CPU years and 110 GPU years to convince everyone we need to stop using SHA-1 for security critical applications