[Klathmon]

Or were they really bad salts? Like a hash of the username?

[mnw21cam]

That wouldn't really be a proper salt, although technically it would fulfil the purpose of a salt, which is to prevent lookup tables being used.

[Klathmon]

Oh I agree, but I've seen too many "clever" systems which derive the salt from something like the username or another field or fields in the DB.

Just because there is no obvious salt now doesn't mean it's not there. Only Dropbox knows how it worked at this point.

[tonicoto]

We will have to wait for a code leak ;-)

[bvinc]

Uh oh. You might be on to something. Salts are pretty much always stored right next to the hash, right? If the hack doesn't contain them, maybe they were doing something "clever" like that.