Created by: Hank Leininger
Contact Information: firstname.lastname@example.org [PGP key] [Old PGP key].
The terms and conditions under which this software is released are set forth in README.LICENSE.
PathWell (Password Topology Histogram Wear-Leveling) is a new approach to measuring and enforcing password complexity, focusing on the uniqueness of each user password's topology.
A password's "topology" is its "shape", such as "Uppercase letter, followed by serveral lowercase letters, several numbers, and then a special character". When many users are required to create passwords fitting some conventional strength rules (such as minimum length, minimum number of character sets), they tend to gravitate towards common topologies. Password cracking tools incorporate this (called "masks" in Hashcat, for example). A set of password hashes with a slow (difficult) cipher, or a set of very long (14-character or more) passwords may be infeasible to blindly crack, but by focusing on only 1-5 most popular topologies, an attacker might crack 5-10% or more of an enterprise's user passwords in hours or days instead of months or years of effort.
Password crackers would have a far lower success rate if topologies could not be reused by multiple users. PathWell provides tools to measure the bias in a user population (how overused the most popular topologies are), allow an administrator to disallow the most universally common topologies (blacklists), and/or disallow any user from re-using a topology that is in use by other users of the same system (wear-level enforcement).
The current stable release is version 0.7.0, available here: libpathwell-0.7.0.tar.gz [sign]. All releases are PGP-signed using one of the above project keys.
The latest development code can be pulled from a public read-only Git repository here:
git clone https://git.korelogic.com/libpathwell.gitor from GitHub:
git clone https://github.com/KoreLogicSecurity/libpathwellThis contains tags for stable release versions, and any updates since the last release. All git commits are PGP-signed by a key available from MIT PGP keyservers, signed by the above project key.
Please submit comments, feedback, and bug reports to the above contact address, email@example.com. Please PGP-encrypt anything sensitive.
Improvements such as new features, bug fixes, etc. can be submitted in multiple ways:
|Please contact us if you would like more information about our services, tools, or careers with us.|