, Charles wrote

unsalted Sha-1.... That's pretty lame.


Even if the passwords were hashed with salt, if you have six million of them, you could likely guess the salt from the distribution. If you took the most common passwords, and compared it to a histogram of common passwords, you could leverage that knowledge to guess the salt. Or maybe not.