Scope of the Assessment
During this assessment, our ethical hackers evaluate the password strength in your company. Our technical analysis is conducted without user context and can be coordinated with your works council or data privacy team. The test is conducted remotely.
Technical Analysis
Evaluate your password policy in a technical manner.
Anonymous Evaluation
Passwords are cracked without correlation to employees.
Conform Audit
Our testing procedure is coordinated with your works council or data privacy team.
Measureable Statistics
We track your progress in regular audits.
Secure Data Exchange
Sensitive data is exchanged via our encrypted file platform.
Our Own Infrastrucutre
We host local cracking servers ourselves. No data is stored remotely or in the cloud.
More than half of all employee passwords can be cracked during our analysis. This hints towards a low password quality. ¹
Password reuse is present in almost any company and will be detected during our assessment. ²
Almost two thirds of all cracked employee passwords consist of easily guessable dictionary entries. ³
Active Directory Password Audit
Our approach
In an Active Directory password audit, we extract the password hashes of all users in your Active Directory domain(s) without user context. We then attempt to convert these password hashes into their plaintext form using freely available password lists and other cracking methods.
Our follow-up quality analysis of the identified plaintext passwords can provide measurable results on the existing password strength in your organization. This also enables you to obtain an overview of potential weak points in your company and the Active Directory configuration and to fundamentally eliminate them.
These are some of the evaluations that are part of our anonymous password audit:
- Password strength in your Active Directory domain
- Password reuse
- Analysis and statistical key figures on guessed passwords such as length and complexity as well as their structure
The extraction of password hashes from your Active Directory environment can either be carried out on your premises by our experienced security analysts or by yourself.
The subsequent evaluation of the password quality takes place from our Pentest Factory Cyber-Lab. We follow valid data protection guidelines and handle your sensitive data with utmost care.
After completing our analysis and submitting the final report with a catalogue of measures, we destroy all existing data relating to your Active Directory domain.
Sources
1 - Own statistics from our client assessments
2 - Own statistics from our client assessments
3 - Own statistics from our client assessments