[Scorpion]

The thing is that they don't appear to be random. Everyone with the same password had the same salt. I guess default isn't the right word. Whatever algorithm they used to generate the salt always generated the same two characters given the same input. I'm curious as to whether anyone knows the details of that function.

[Xk]

What? No. Not at all. The most number times a given salt||hash occurs in the database is seven.

Why do you think that what you said is true?

[Scorpion]

I misinterpreted what I was looking at and I made a bad assumption that since the same hash for a known password appeared several times in my narrow view that it was the same for all occurrences of the known password.

Your comment that the maximum number of a given salt||hash was seven also threw me for a second. Am I correct that that is purely coincidental? Given the limit of only two characters for the salt (in what set? all printable characters?) and the sheer volume of accounts there is simply some unintended overlap? It just happens that the most it occured was seven times?

[Xk]

Ah, alright.

Yeah, seven is just coincidental. But, it appears that you are correct in one respect: seven seems a bit high to me. I don't have the time to do the probability distributions out, if someone cares would they do the calculation and check?

EDIT: The salt 'sV' occurred 215 times. sV39Fw5at18zo occurs seven times. Assuming that there were only 300 possible passwords each of which occurred with probability ~.3% (the probability of '123456'), then the probability of seven passwords hashing to the same value is incredibly low. Less than a thousandth of one percent. Does anyone know why this is? Or was it just the case that Scorpion's assumption that the distribution is very non-random is correct?