A system we're introducing into the organization is not using any traditional hashing function that I can find. I've been assigned to "approve" it by black-box testing.
I suspect passwords are simply being obfuscated or encrypted (not hashed) since the length of the result changes with password length (though there is some minimum, it seems - perhaps padding?).
Here is some data:
password : result 1 : TG3432WB7VU= 11 : r8ahLkJGWbY= 111 : E7fXdNqEWAA= 11111111 : FIcx3a00R4eGhFyHjD56qw== 1111111111 : FIcx3a00R4evxqEuQkZZtg== 2111111111 : GPwnH80qEACvxqEuQkZZtg==
The result is obviously base64, but doesn't decode to anything readable. Before I knew that the result's length changed, I tried taking the decoded bytes and treating them as MD5 and other hashing functions, but that obviously didn't pan out. Now that I know the result changes in length, I'm considering other, worse, alternatives. Of note are the two bold parts above: they're identical in two different passwords. So either each 8 bytes are being processed independently (why?) or there's some polyalphabetic substitution going on(?).
Update:
Any character, including Unicode characters, is accepted by the system for passwords. Repeating a 3-byte character 8 times does result in a 24 byte long "hash".