Posted on 2009-06-25

WebCT, the popular Learning Management System used at many post secondary institutions, fails at implementing password hashing. Version 4.1 on WebCT, which is still in use at a number of schools, uses the crypt() DES hashing algorithm, which truncates the user's password to only eight 7-bit characters. The downside to this is, no matter how strong your password is, the brute force, dictionary, or other attacks against it, need only consider up to 8 characters, and with a limited character set. A recent Core2 processor at 2.5ghz can crack salted DES crypt()'d passwords at a rate of 2 - 2.5 million per second, per core. Slashing through the keyspace at a rate of 10 million per second with only a single desktop computer, means that the entire lowercase alphanumeric keyspace between 1 and 8 characters is exhausted in only 3.5 days. Now a 2-way 4 core Xeon 3.0ghz can crack on the order of 25 million combinations per second, meaning the entire alphanumeric keyspace is exhaused in ~100 days, now divide that between 4 of them, and your only talking about a month. Using the power of cloud computing, you could use 20 (the maximum default quote) of the EC2 Extra Large High CPU instances, to crack that same keyspace in just over 4 days, at a total cost of $1650, about the same price as a single Xeon X5570 2.93ghz CPU.

How to tell when you're being "Protected" by DES
set a reasonably long password, then log out, and when you attempt to login, only use the first 8 characters of your password, if the login succeeds, then beware, you have DES. Now that nosy neighbor in the computer lab only needs to get the first part of your password to compromise your account. WebCT contains sensitive information such as grades, but also in-progress and submitted assignments, which if stolen could result in a charge of Academic Dishonestly (plagiarism) and result in possible lost credits or expulsion.

By: Allan Jude