Korelogic Logo Git contact


Created by: Hank Leininger

Contact Information: pathwell-project@korelogic.com [PGP key] [Old PGP key].

The terms and conditions under which this software is released are set forth in README.LICENSE.


PathWell (Password Topology Histogram Wear-Leveling) is a new approach to measuring and enforcing password complexity, focusing on the uniqueness of each user password's topology.

A password's "topology" is its "shape", such as "Uppercase letter, followed by serveral lowercase letters, several numbers, and then a special character". When many users are required to create passwords fitting some conventional strength rules (such as minimum length, minimum number of character sets), they tend to gravitate towards common topologies. Password cracking tools incorporate this (called "masks" in Hashcat, for example). A set of password hashes with a slow (difficult) cipher, or a set of very long (14-character or more) passwords may be infeasible to blindly crack, but by focusing on only 1-5 most popular topologies, an attacker might crack 5-10% or more of an enterprise's user passwords in hours or days instead of months or years of effort.

Password crackers would have a far lower success rate if topologies could not be reused by multiple users. PathWell provides tools to measure the bias in a user population (how overused the most popular topologies are), allow an administrator to disallow the most universally common topologies (blacklists), and/or disallow any user from re-using a topology that is in use by other users of the same system (wear-level enforcement).

Obtaining LibPathWell:

The current stable release is version 0.7.0, available here: libpathwell-0.7.0.tar.gz [sign]. All releases are PGP-signed using one of the above project keys.

The latest development code can be pulled from a public read-only Git repository here:
git clone https://git.korelogic.com/libpathwell.git
or from GitHub:
git clone https://github.com/KoreLogicSecurity/libpathwell
This contains tags for stable release versions, and any updates since the last release. All git commits are PGP-signed by a key available from MIT PGP keyservers, signed by the above project key.

Please submit comments, feedback, and bug reports to the above contact address, pathwell-project@korelogic.com. Please PGP-encrypt anything sensitive.


Improvements such as new features, bug fixes, etc. can be submitted in multiple ways:
  1. Obtain the source code:
    • from a release tarball,
    • or by cloning the git repository;
  2. Create and send us changes:
    • create a patch using diff -urP, git format-patch, etc., and email the patch to pathwell-project@korelogic.com, or
    • put your modified code in a git repository that we can access (such as GitHub, your own server, etc.), and send us a pull request.
Please PGP sign all patches and correspondence if possible.

Please contact us if you would like more information about our services, tools, or careers with us.
Privacy Policy : Copyright 2019. KoreLogic Security. All rights reserved