A look at Booz Allen leaked passwords

The recent attack against Booz Allen led to 90,000 leaked passwords. Unlike previous breaches where the passwords weren’t encrypted, it looks like in this case some care was taken to scramble the data.

Or was it? There’s hashing and there’s hashing. In the case of the Booz breach, cracking hashed password involves brute forcing it – i.e. you have to “guess” the password first and then hash it with sha1 and see if you are successful.

So let’s guess, maybe 123456? 123456 after SHA1 is 7c4a8d09ca3762af61e59520943dc26494f8941b.

Now let’s encode it in base64 (there are tools that do this) and get fEqNCco3Yq9h5ZUglD3CZJT4lBs=

Now let’s search the attached file for fEqNCco3Yq9h5ZUglD3CZJT4lBs= in the hashed file with breached results. And voila, 22 results:

(You can also find “1234”, “12345”, “12345678” the same way).

This process of guessing can be automated using an automated cracker that goes through all options exhaustively (probably using a dictionary of popular password to find popular passwords fast). If the attacked application was following best practices, it should’ve “salt”ed the hash (i.e. concatenating different values to each password before hashing) it would have created a different hash even if the password is the same – and would force the cracker to crack each password individually and not crack all the passwords at once.

That means that no one could find “123456” on all the text file at once as shown above – a hacker would have to do it individually to each password with respect to its salt value.

Every hash can be brute forced. It just takes too much time to try every possible value (if the hashing algorithm is good). Of course, if the victim has chosen a guessable value – it would be easy for the attacker to guess it in just few tries.