Password Security Auditing

Our Password Security Audit for Active Directory goes beyond an automated check against several password lists to provide you detailed human analysis of the password behaviours and high-risk accounts within your organization. We utilize GPU-based cracking techniques with a combination of brute force and password lists totaling many hundreds of gigabytes in size.

Not only will our audit report show you the weak AD passwords within your environment, it will also:

  • Provide behaviour analytics such as common “base words”
  • Identify accounts sharing the same password
  • Highlight high-risk accounts such as Domain Admins and Service Accounts1 with weak passwords

How safe is this?

We take the security of your passwords (and their hashes) very seriously. Any transport of passwords or hashes will be encrypted both at-rest and in-transit using industry standard ciphers and modes only.

All systems used to conduct the audit utilize block-level encryption2 and are wiped after the assessment is concluded. Any data we hold after the assessment is over is purged after 14 days by default or based on a timeline you set for data retention. Access to systems holding the data require hardware-backed authentication with multi-factor authentication in addition to hardware-backed GnuPG or Age at-rest encryption of the stored data.3

Get a quote today!

  1. Where Service Accounts are typically accounts with one or more Service Principal Names (SPNs) that enable an attack known as “kerberoasting” in AD domain takeovers. ↩︎

  2. Block-level encryption uses dmcrypt + LUKS in LUKS mode 1 using AES in XTS mode (AES-XTS-PLAIN64) with 512-bit keys, SHA-512 key derivation and 3,000 millisecond PBKDF2 iteration time. ↩︎

  3. We utilize Yubikeys with OpenSSH FIDO2 (ECDSA or ED25519) token-backed SSH keys, GnuPG generated OpenPGP RSA 4096-bit keys stored within the Yubikey OpenPGP module or Age keys utilizing the PIV module↩︎