No, the vast majority of the passwords were done properly with md5_crypt(). They will probably never be cracked in any serious number.
The few that have been cracked were all passwords stored using the old unsalted DES based crypt(). Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().
Could you explain to a layman how we can tell the difference? Looking at the string next my email I'd like to feel a little more secure if I know it was a more secure encryption.
If it starts with $, it is probably pretty safe.
Without a $, the field is calculated by taking 25 rounds of DES on a 56 bit key field derived from the first 8 characters of the password. This is very easy to crack.
If it starts with $1$, the next part is a random salt, ending with the next $. The password and this random salt are hashed with MD5. Then this hash, the password and the salt are all hashed again. Then there are 1000 rounds of hashing using the password and the previous hash. This value is what is finally stored in the file after the last $.
There are other schemes, such as $2$ and $2a$ that are based on blowfish, $3$ which blows, $5$ and $6$ which are based on SHA. But I don't think any of those were used here.
By looking at the password file, I think the problem is that they upgraded the password hashing code to switch from DES to MD5, but didn't force changes of old passwords. Looks like this was months ago. The newest account I can find with the old style password is #3045 (out of ~60,000).
