The highest risk of collision is based on the shorted hash value output length. From this list of MD5 has the shortest with 128 bit hash value length. SHA-1 has 160 bit hash value length, and SHA-2 has hash value length starting as 224 increasing from there. HMAC is not a hashing algorithm, instead it is an implementation of hashing. HMAC can use any hashing algorithm, such as MD5 or SHA-1, then adds the use of a symmetric key as a randomness source in order to produce a more complex hash. It does not produce an encrypted hash. Since HMAC can use any hashing algorithm, it is not necessarily using MD5 and with the added randomness, collisions are less common that with MD5 on its own.