A couple of weeks ago we released a PathWell update, version 0.7.0, available here. I had the pleasure of giving a talk about it at RMISC yesterday that highlighted the new features; the slides are here. [PDF warning]

The primary user-visible change in this release is an administrator-configurable hinting engine, to provide different levels of feedback to users whose new password choice is rejected.

The hint engine suggests changes to a rejected candidate password which, if adopted by the user, would result in a new password that would be accepted. The amount of detail returned to the user is configurable to a variety of "levels". For example, at medium hint level, the hint engine suggests a randomly-generated topology change such as the one shown below:

### Trying to set a password of 'April2017!'
testuser@foo ~ $ passwd
Changing password for testuser.
Current password:
New password:
Retype new password:
pam_pathwell:
                                            ull lldddds
                                               |       |
  insert a special character ------------------+       |
                                                       |
    insert a digit ------------------------------------+

 This should produce the following topology: ullsllddddsd

passwd: Authentication token manipulation error
passwd: password unchanged
testuser@foo ~ $

At high hint level, the hint engine actually suggests a randomly-modified version of the chosen password. Obviously, the hinting capability must be used with care; an attacker who can shoulder-surf or recover script sessions of users changing their passwords will obtain sensitive information. More details, examples, and caveats are available in my RMISC presentation slides.

The hint engine supports multiple output methods; simple text is appropriate for the PAM module. There is also JSON output for use with other front-ends, such as web applications seeking to use PathWell for dynamic password strength enforcement. Currently the hint engine is only enabled for blacklist failures, but we intend to connect it for violations of the other enforcement options of minlev (minimum Levenshtein distance) and maxuse (maximum use count) as well.

Less visible changes in this release include some restructuring of the code/API, adding and moving functionality into the core library. This facilitates using libpathwell for things other than PAM, such as integrating into an LDAP server, calling from Java code using JNI, etc. As a result, the PAM module code was reduced and simplified. We also expanded unit test coverage and added two more command-line utilities: pathwell-setuc and pathwell-chkpw. The core and PAM library versions have both been bumped as a result of these changes.

Our next steps for the project include the expansion of the hint engine as mentioned above, Perl Compatible Regular Expression (PCRE) blacklist support, and Active Directory (AD) support. We have an AD passfilt.dll version of PathWell in alpha, but since we do not run any production Windows systems, we are looking for organizations that want to help us with larger scale tests. Please contact us at pathwell-project at korelogic.com [PGP key] if you are interested in being a alpha tester, or in using libpathwell in a commercial product.