This approach helped me to steal passwords in one of my work environments where our HOME directories were mounted on a shared SPARC/Solaris machines and tcsh
was the default shell.
Encryption salt was first 2 characters of the password. I figured this out, somehow. :-)