Password auditor – recognize weak passwords

Image by Gino Crescoli from Pixabay

For years, “123456” and “password” have been leading the hit list of the simplest but most popular passwords. Actually, all computer users should now know that the simple numbers and letters following are unsuitable as a password and can be cracked in seconds. It also happens fully automatically. This opens the door for cyber criminals to steal personal data or transfer malware to the computer.

Simple passwords are a problem for companies

In companies, the resulting damage can run into millions or even endanger its existence. Last but not least, administrators in small and large companies are challenged if such passwords have endangered the security of company data.

The responsibility is great to ensure that users adhere to the rules and therefore use complex and difficult to determine access data. But the users come up with a lot to avoid having to remember difficult sequences of numbers and letters. The company specifications are often bypassed.

Those responsible in the company often cannot keep up with the gaps in simple passwords. As a result, they regularly adjust the company policy. It is like a cat and mouse game, since employees often do not understand the importance of the need for strong passwords and find it annoying.

The “Password Auditor” finds unsafe passwords

It is therefore all the more important to regularly check whether unsafe passwords could allow unauthorized access to data. To accomplish this task, Specops offers the free “Password Auditor” tool.

This allows the existing requirements for passwords in the company to be compared with the usual industry standards. It also finds out whether and how security can be improved. The software requires an Active Directory and is a read-only solution. It does not make any changes.

Extensive password tests with meaningful evaluation

Once installed, the tool reads the domain’s password guidelines and fine-grained password policies. The “Password Auditor” also takes into account guidelines created with the enterprise solution “Specops Password Policy”.

First, the program queries the domain and allows the selection of the domain controller found in the network. Afterwards it is possible to download a blacklist against which the “Password Auditor” additionally checks. This blacklist is almost five gigabytes in size and contains over a billion passwords. These became known through security incidents around the world and should no longer be used.

The test begins after the file is downloaded. Depending on the number of users and the structure of the Active Directory, the evaluation takes some time. As a result, the tool displays reports on the existing user and password guidelines. The Specops Password Auditor checks the passwords and analyzes the extent to which compromised passwords are used. The tool also checks whether existing passwords comply with current guidelines, have expired or an account is inactive.

When testing against the usual password guidelines, the developers rely on the guidelines of MS Research, MS TechNet, the National Cyber Security Center (NCSC), the National Institute of Standards and Technology (NIST), the data security standard PCI Security Standards Council as well SANS Admin and SANS User. Depending on the specification or recommendation, the “Password Auditor” checks the password length, the age of the passwords, the saved history, the complexity and whether users do not use common words from dictionaries.

Evaluation shows weak points

The software then shows the test result in an overview and lists which password guidelines correspond to the current settings and where there is still room for improvement. The program also indicates whether several accounts use the same passwords, which accounts have administrative access, which do not use any passwords, which passwords expire within the next 10 days or have already expired.

With this summary, the “Password Auditor” detects weaknesses and helps the IT department to plan for blocking or resetting passwords. The tool also helps to identify expired and expired passwords as well as inactive admin accounts. These can then be blocked or adjusted proactively.

The “Password Auditor” software is available free of charge as an MSI package for Windows and can be downloaded from