Skip to content
Security audit

Password Audit

Check your organisation-wide password policy with a technical password audit. Identify weak user passwords and harden your policies.

Scope of the Assessment

During this assessment, our ethical hackers evaluate the password strength in your company. Our technical analysis is conducted without user context and can be coordinated with your works council or data privacy team. The test is conducted remotely.

Technical Analysis

Evaluate your password policy in a technical manner.

Anonymous Evaluation

Passwords are cracked without correlation to employees.

Conform Audit

Our testing procedure is coordinated with your works council or data privacy team.

Measureable Statistics

We track your progress in regular audits.

Secure Data Exchange

Sensitive data is exchanged via our encrypted file platform.

Our Own Infrastrucutre

We host local cracking servers ourselves. No data is stored remotely or in the cloud.


More than half of all employee passwords can be cracked during our analysis. This hints towards a low password quality. ¹

Password reuse is present in almost any company and will be detected during our assessment. ²


Almost two thirds of all cracked employee passwords consist of easily guessable dictionary entries. ³

Active Directory Password Audit

Our approach

In an Active Directory password audit, we extract the password hashes of all users in your Active Directory domain(s) without user context. We then attempt to convert these password hashes into their plaintext form using freely available password lists and other cracking methods.

Our follow-up quality analysis of the identified plaintext passwords can provide measurable results on the existing password strength in your organization. This also enables you to obtain an overview of potential weak points in your company and the Active Directory configuration and to fundamentally eliminate them.

These are some of the evaluations that are part of our anonymous password audit:

  • Password strength in your Active Directory domain
  • Password reuse
  • Analysis and statistical key figures on guessed passwords such as length and complexity as well as their structure
fly d zAhAUSdRLJ8 unsplash

The extraction of password hashes from your Active Directory environment can either be carried out on your premises by our experienced security analysts or by yourself.

The subsequent evaluation of the password quality takes place from our Pentest Factory Cyber-Lab. We follow valid data protection guidelines and handle your sensitive data with utmost care.

After completing our analysis and submitting the final report with a catalogue of measures, we destroy all existing data relating to your Active Directory domain.

Standards and qualifications

We follow recognized international standards for our pentest procedure.

Our penetration testers are highly qualified and certified with several recognized hacking certificates.


1 - Own statistics from our client assessments
2 - Own statistics from our client assessments
3 - Own statistics from our client assessments