Active Directory Password Audit

Your policy tells you the rules. A password audit tells you whether they're working.

We audit your Active Directory password hashes offline to show you what your users are actually setting - how many are weak, reused, or follow predictable patterns - without brute-forcing your live systems.
Active Directory password auditing services and pentesting

When to Audit

When does a password audit make sense?

A password audit is an assessment we often include during an internal network penetration test. Where internal pentesting involves active testing of your live environment, a password audit is an entirely offline exercise: we analyse what your users are actually setting against your password policy, current standards, and known-bad password lists.

After or alongside an internal network pentest

Internal testing reveals that weak or reused passwords are exploitable. A password audit tells you the scale of the problem across your whole domain, not just the credentials an attacker happened to encounter during testing.

Compliance-driven policy assurance

NIST SP 800-63B, NCSC password guidance, and Cyber Essentials all set expectations around password policy. An audit provides documented evidence that your policy is being followed in practice, and supports further user education.

Following a security incident

Where a compromised credential was a factor in an incident, an audit of your full password estate tells you whether the conditions that allowed it remain in place, and how widespread the underlying problem is.

Periodic Active Directory hygiene

Password quality degrades over time. Staff turnover, policy changes, and long-established accounts can all contribute to a weaker credential estate than your current policy would suggest. A periodic audit establishes the current position.

What We Analyse

What does a password audit cover?

The assessment is conducted entirely offline from an NTDS.dit export or password hash dump. We apply targeted cracking techniques alongside analysis of the results to produce a detailed picture of your password estate.
01

Offline hash cracking

We crack hashes using targeted wordlists, custom rulesets, and techniques that we've refined through hands-on password-auditing work and open-source tooling developed in-house. Results show which passwords were recovered, how quickly, and what they were - giving you a realistic measure of how exposed your credential estate would be against an attacker with comparable capabilities.
02

Password policy assessment

Your configured password policy is assessed against NIST SP 800-63B and NCSC password guidance. We identify where your policy diverges from current recommendations, including minimum length enforcement and how many passwords in the estate fall below it.
03

Password reuse and frequency

We identify the number of unique passwords in use across the domain and flag passwords shared between multiple accounts. A high frequency of a single password across many accounts is a reliable indicator of poor password management practices. We also compare credential strength between privileged and standard accounts.
04

Pattern and composition analysis

Cracked passwords are analysed for predictable patterns: dictionary words and common mutations, keyboard walks, dates and date-containing passwords, the company name or its variations, usernames embedded in passwords, and character substitution patterns. This analysis also informs further targeted cracking passes to improve our coverage.
05

Privileged account assessment

Administrative and service accounts with weak or guessable passwords represent a high risk given the elevated permissions they typically hold. We specifically flag privileged accounts where cracked passwords fall into weak or predictable categories.
06

Breach-data credential exposure

We cross-reference recovered credentials against known breach data collections. Accounts appearing in publicly available breach data may still be active in your environment or reused on external services.

Our Methodology

How a password audit works

01

Scoping

We agree the scope of the assessment, confirm which accounts or organisational units are in scope, and document the rules of engagement and data handling arrangements before anything else begins.

02

Secure hash provision

We can either remotely access your environment, visit you on-site, or we can provide clear guidance on extracting a export or password hash dump from your Domain Controller using built-in Windows tooling. You transfer the file to us via encrypted upload to our secure infrastructure.

03

Offline cracking

Cracking is conducted entirely offline on our own local infrastructure. We apply layered techniques that includes dictionary attacks, hybrid rules, brute force, and pattern-based approaches - tuned to your target environment using wordlists and rulesets refined through extensive prior work.

04

Analysis

Results are analysed across all categories: crack rates, reuse, patterns, privileged accounts, and breach exposure. Analysis is completed before reporting begins, so findings are contextualised rather than presented as raw output.

05

Reporting

Findings are written up in a structured report covering both an executive summary and detailed technical findings, with recommendations tied to NIST SP 800-63B and NCSC guidance. No sensitive information is included in the report beyond what is necessary to understand the findings and their context.

06

Debrief

We offer a debrief session to walk through results, answer questions, and discuss remediation priorities with your technical team or wider stakeholders. We can even present findings to your board or executive team if preferred.

Key Deliverables

What your report includes

The password audit report is structured to be useful to both technical teams and senior stakeholders. All findings include context on risk and specific recommendations for remediation.

The goal isn't to single out individual users, it's to provide you with an understanding of the overall credential health of your domain and the actions you can take to improve it.

Executive Summary

A plain-language overview of the overall credential health of your domain, the key findings, and the actions arising from the assessment.

Crack Rate Metrics

The overall percentage of hashes recovered, broken down by account type (standard, privileged, service accounts), and time-to-crack distribution - showing how quickly an attacker could realistically obtain valid credentials.

Categorised Findings

Findings grouped by weakness type: reused passwords, predictable patterns, policy non-compliance, privileged account weaknesses, and breach-exposed credentials. Each category includes specific examples and account-level detail.

Password Policy Gap Analysis

A comparison of your current policy configuration against NIST SP 800-63B and NCSC guidance, with specific recommendations where your policy diverges from current best practice.

Remediation Guidance

Practical, prioritised guidance for each finding type, covering policy changes, tooling recommendations, and user education measures.

Common Questions

Password auditing - frequently asked questions

Internal network penetration testing is an active, live assessment: we connect to your network and simulate an attacker moving through your environment in real time. A password audit is an offline exercise conducted to focus on one of the most common lateral movement vectors: insecure passwords.

Where internal testing shows how far an attacker can get, a password audit shows specifically what proportion of your users have weak, reused, or predictable passwords and what patterns they follow across the whole domain. The two assessments complement each other well and can be scoped together.

See our internal network penetration testing service for more on what that engagement involves.

No, but we can visit you on-site or remotely connect to your network if preferred. The assessment itself is conducted entirely offline against a password hash dump or NTDS.dit export that you can provide to us. There is no requirement for direct access to your Active Directory environment, and we do not run any tools against your live infrastructure that could impact the availability of user accounts.

You can transfer the file to us via encrypted upload to our secure infrastructure, GPG/PGP, . Data handling arrangements are confirmed before work begins, and all materials are deleted once reporting is complete. The same level of confidentiality applies across all of our engagements.

We assess your password policy against NIST SP 800-63B and NCSC password guidance. Both have moved away from mandatory complexity rules and regular forced rotation in favour of length, screening against known-bad passwords, and MFA. We identify where your policy aligns or diverges and provide specific recommendations grounded in both standards.

For background on how password cracking works in practice, see our article on password cracking and how it works.

Find out how secure your passwords really are

A short scoping call is all it takes to understand whether a password audit is right for your organisation and what it would involve. Quotes are provided within one business day.