I am thrilled to announce the first public release of the Password Topology Histogram Wear-Leveling (PathWell) library and PAM module for dynamic password-strength enforcement. Version 0.6.1 is available for download here.

We have blogged and written and presented about PathWell several times, but now we've finally dropped the code.

The LibPathWell release is a PAM module and supporting library to implement password topology complexity enforcement. There is a static component called blacklisting that allows you to seed the PathWell database with the most popular password topologies, so instead of an attacker cracking 25%+ in their first few mask attacks, they get zero. And then there are dynamic components ensuring that enterprise users, as they change their passwords, are forced to choose new passwords that are substantially different from one another.

tl;dr: PathWell makes enterprise user passwords 5-6 orders of magnitude harder to guess!

This release is not the current code. It is basically the last version cut at the end of our DARPA-sponsored CFT (Cyber Fast Track) project, with an appropriate open-source license applied. We've been working on making PathWell more user-friendly, like the password creation guidance I alluded to at the end of the presentation linked above.

But that code isn't done yet, and we got tired of the existing code not being available to the public, so here it is.

License

LibPathWell is released under the GNU Affero General Public License Version 3 (AGPLv3). See the README.LICENSE file in the distribution tar ball for all the legalese - basically this is just like the GPLv3 except that it also explicitly applies to network services that users interact with (without "running" programs in the conventional sense). There is a patent on the topology wear leveling stuff; use of that is granted by the software license as long as you comply with it. If you want to implement PathWell in a commercial operating system, website, or Identity Management product in a way that isn't compatible with AGPL (i.e., closed-source), or you want us to do so, talk to us.

Known Issues

This branch was effectively frozen in late 2013. Since then, some current Linux distributions' dependencies have changed. Everything works great on current Gentoo, but you may encounter header file issues with recent versions of some of the other distributions (e.g., Ubuntu) listed in README.INSTALL as supported. Meanwhile, some distributions whose libraries were too old at the time (I'm looking at you, RHEL) may now work out of the box, so our documentation needs updating. We'll push those fixes to the public git repository as we can, but probably not before DEFCON; we have a contest to run. Be sure to watch our git repository, or better still, submit some patches. ;)

Mushy Stuff

I can't thank enough my coworkers who did more to make PathWell an actual thing than I did. Particularly Klayton, Sean, and Mick; without your efforts and persistence this would just be another idea rotting in the back of my brain while I chase squirrels.