Abstract or Summary:
PathWell is a novel approach to enforcing password complexity, designed to thwart modern cracking tools and approaches while retaining compatibility with existing enterprise authentication systems and password stores. Recent trends in password cracking, such as the Hashcat suite's mask modes, focus on common password ""shapes"" or topologies, such as ""start with an uppercase letter, then several lowercase letters, then several digits"" -> ""?u?l?l?l?l?l?d?d"". We find that topology use is so skewed, that by exhausting the 1-5 most common topologies (out of tens of thousands to millions of possible topologies) will result in 25+% of all passwords cracking for a typical enterprise network. PathWell is a way to audit and/or enforce topology uniqueness across an enterprise. This greatly reduces the attacker's success rate when cracking passwords, and increases their work factor to crack any sizable percentage. The concepts apply to both medium-weak hash types, extending the effective lifespan of deployed systems, and also to systems using stronger hash types, making them even more resistant to cracking.

LibPathWell software project page here: https://git.korelogic.com/libpathwell.git/

PasswordResearch.com Note: Video of presentation: https://www.youtube.com/watch?v=O0ENSXFwdqY