Active Directory Password Audit
Your policy tells you the rules. A password audit tells you whether they're working.

When to Audit
When does a password audit make sense?
A password audit is an assessment we often include during an internal network penetration test. Where internal pentesting involves active testing of your live environment, a password audit is an entirely offline exercise: we analyse what your users are actually setting against your password policy, current standards, and known-bad password lists.
After or alongside an internal network pentest
Compliance-driven policy assurance
Following a security incident
Periodic Active Directory hygiene
What We Analyse
What does a password audit cover?
Offline hash cracking
Password policy assessment
Password reuse and frequency
Pattern and composition analysis
Privileged account assessment
Breach-data credential exposure
Our Methodology
How a password audit works
Scoping
We agree the scope of the assessment, confirm which accounts or organisational units are in scope, and document the rules of engagement and data handling arrangements before anything else begins.
Secure hash provision
We can either remotely access your environment, visit you on-site, or we can provide clear guidance on extracting a export or password hash dump from your Domain Controller using built-in Windows tooling. You transfer the file to us via encrypted upload to our secure infrastructure.
Offline cracking
Cracking is conducted entirely offline on our own local infrastructure. We apply layered techniques that includes dictionary attacks, hybrid rules, brute force, and pattern-based approaches - tuned to your target environment using wordlists and rulesets refined through extensive prior work.
Analysis
Results are analysed across all categories: crack rates, reuse, patterns, privileged accounts, and breach exposure. Analysis is completed before reporting begins, so findings are contextualised rather than presented as raw output.
Reporting
Findings are written up in a structured report covering both an executive summary and detailed technical findings, with recommendations tied to NIST SP 800-63B and NCSC guidance. No sensitive information is included in the report beyond what is necessary to understand the findings and their context.
Debrief
We offer a debrief session to walk through results, answer questions, and discuss remediation priorities with your technical team or wider stakeholders. We can even present findings to your board or executive team if preferred.
Key Deliverables
What your report includes
The password audit report is structured to be useful to both technical teams and senior stakeholders. All findings include context on risk and specific recommendations for remediation.
The goal isn't to single out individual users, it's to provide you with an understanding of the overall credential health of your domain and the actions you can take to improve it.
Executive Summary
Crack Rate Metrics
Categorised Findings
Password Policy Gap Analysis
Remediation Guidance
Common Questions
Password auditing - frequently asked questions
Internal network penetration testing is an active, live assessment: we connect to your network and simulate an attacker moving through your environment in real time. A password audit is an offline exercise conducted to focus on one of the most common lateral movement vectors: insecure passwords.
Where internal testing shows how far an attacker can get, a password audit shows specifically what proportion of your users have weak, reused, or predictable passwords and what patterns they follow across the whole domain. The two assessments complement each other well and can be scoped together.
See our internal network penetration testing service for more on what that engagement involves.
No, but we can visit you on-site or remotely connect to your network if preferred. The assessment itself is conducted entirely offline against a password hash dump or NTDS.dit export that you can provide to us. There is no requirement for direct access to your Active Directory environment, and we do not run any tools against your live infrastructure that could impact the availability of user accounts.
You can transfer the file to us via encrypted upload to our secure infrastructure, GPG/PGP, . Data handling arrangements are confirmed before work begins, and all materials are deleted once reporting is complete. The same level of confidentiality applies across all of our engagements.
We assess your password policy against NIST SP 800-63B and NCSC password guidance. Both have moved away from mandatory complexity rules and regular forced rotation in favour of length, screening against known-bad passwords, and MFA. We identify where your policy aligns or diverges and provide specific recommendations grounded in both standards.
For background on how password cracking works in practice, see our article on password cracking and how it works.
Find out how secure your passwords really are
A short scoping call is all it takes to understand whether a password audit is right for your organisation and what it would involve. Quotes are provided within one business day.
