Do You Have a Password Policy? That Doesn’t Mean Much.

cybersecurity unshade.pl passwords

Companies invest heavily in tools like SIEM, EDR, NDR, implement MFA, and conduct training. And rightly so.
But there’s one problem... Most still don’t know how strong (or rather weak) their passwords are.

The reason is simple. Nobody checks them, and security remains in a state of superposition, somewhat like Schrödinger's cat. But what if 75% of the passwords in your Active Directory can be cracked in 24 hours? Even those that comply with the established password policy?

Few people are aware of the actual security level (strength) of passwords in their organization.
Reports are also ignored, which show that once again, pentesters exploited weak passwords as an entry point, for privilege escalation, or to move across the infrastructure.

Password audits - verification of password policy

What is a Password Audit, Really?

Most companies have a password policy in place, which enforces things like password length and complexity. This is, of course, a correct and necessary step. However, it doesn’t always have a real impact on security. In fact, without additional measures, it can be considered dangerous because setting a password policy without verifying it in practice gives us a false sense of security.

From experience, we know that enforcing password length or complexity often results in passwords that are repeated several times or have simple strings added, such as:

Password audits

All of the above passwords would meet the vast majority of security policies (each over 24 characters, containing numbers, uppercase and lowercase letters, and special characters) but are trivial to crack. They represent a real threat to the organization.

A password audit is a technical analysis of passwords, which checks things like:

  • Whether there is an appropriately implemented password policy across the entire organization, and whether it applies to all accounts.
  • Whether dictionary passwords and passwords from breaches are used.
  • The actual strength of passwords within the organization.
  • Whether employees are using repeat patterns related to the company or its products.

A password audit provides specific, measurable data:

  • Percentage of passwords cracked in 1h / 24h / 7 days.
  • Use of passwords known from various breaches.
  • Policy violations: length, complexity, uniqueness, rotation, accounts without policy implementation.
  • Identical passwords on accounts with different roles (e.g., local account and domain administrator).
  • Shared passwords for users across different domains or systems.
  • Detection of weak or duplicated administrative and service passwords.

The Password Audit Process (in brief):

  1. Credential Dump from Active Directory – obtaining full ntds.dit, SYSTEM files (optionally SECURITY as well), according to a controlled and secure procedure, without impacting the availability or operation of the domain controller.

  2. Password Change in the Organization.

  3. Secure Data Acquisition – All files are immediately encrypted (PGP) and transmitted only in encrypted form to ensure confidentiality and data integrity at all stages. Data never enters the network, and encrypted PGP files are stored on encrypted external drives.

  4. Offline Data Analysis – All operations such as parsing the database, extracting hashes, cracking passwords, and correlating information are performed exclusively in an isolated offline environment. The entire password-cracking process is carried out on dedicated cracking rigs operating in an isolated offline network, eliminating the risk of unauthorized access or data leakage.

  5. Correlation of Results with AD Infrastructure – The obtained data is mapped to the Active Directory structure and analyzed in the context of password policies.

  6. Final Report – The result of the analysis is a detailed technical report containing, among others:

    Statistics,
    Recommendations regarding security policies,

  7. Secure Data Deletion – After the analysis is complete, all acquired data, hashes, and cracking results are securely deleted according to accepted standards (e.g., multiple overwriting of data, compliance with norms like NIST 800-88 or ISO/IEC 27040). Upon customer request, the deletion process can also be documented (e.g., destruction protocol).

The Lifecycle of a Password Audit

The password audit process is inherently cyclical. Depending on the maturity of the organization, capabilities, and needs, audits are typically conducted on a quarterly basis.

Intensive audit periods usually last between 1 year and 4 years, depending on the speed of achieving security indicators. In organizations with low awareness or high operational risk, audits can be conducted even weekly—especially in the context of verifying passwords for privileged users (e.g., administrators, tier0, etc.). The goal of such accelerated actions is to enforce the use of truly strong passwords in the shortest time possible.

After achieving the set goals, the audit process moves to a phase where audits are performed once a year. This allows for ongoing verification of security levels and maintaining awareness within the organization.

Password audit - unshade.pl

The Role of Training in the Password Audit Process

An integral part of the password audit process are short, focused training sessions lasting 20–60 minutes, conducted in small groups. Their goal is:

  • To raise awareness of the threats posed by weak or compromised passwords.
  • To build skills for creating strong and secure passwords—easy to remember but hard to crack—along with practical password management techniques (e.g., password managers).

Training is dynamically adjusted to the current situation, based on the data obtained from the audit. This approach significantly accelerates the process of change and, consequently, the improvement of password security in the environment. Simply enforcing the use of strong, good passwords will never work—employees need to be aware of the risks posed by weak passwords and, most importantly, know what weak passwords are, how to come up with strong ones, and how to manage them. In most cases, users aren’t aware that the passwords they use are weak.

Why Us?

The Unshade team has been involved in the most advanced password cracking competitions and has conducted many lectures and talks about password cracking.

  • Crack Me If You Can at DEFCON – regularly in the TOP5.
  • CrackTheCon at CypherCon – debut in 2025 and 3rd place.

We've cracked billions of hashes, we know which passwords are cracked first—and why.

Summary

It’s not enough to have a password policy. You also need to check whether it works. And whether it creates a false sense of security.

🔐 Need a password audit?

Contact us:
👉 Password audit

Previous Post Next Post