--- ./lib/encrypt.c.orig	2016-02-24 17:50:42.746383093 +0100
+++ ./lib/encrypt.c	2016-02-24 18:24:14.673714421 +0100
@@ -56,6 +56,14 @@
 		return libshadow_md5_crypt(clear, salt);
 #endif
 
+	/* If the salt is too short (eg: disabled account with "x" in the
+	 * hash field), then use a different one so that we always emit a
+	 * non-matching hash which will never reveal existence or not of
+	 * an active account.
+	 */
+	if (strlen(salt) < 2)
+		salt = "xx";
+
 #ifdef	SW_CRYPT
 	/*
 	 * Copy over the salt.  It is always the first two