Skip to main content

Why Run a Password Audit

Attackers only need one way in—but once they’re inside, compromised passwords make it easy to move through your environment, escalate privileges, and take over additional accounts. Passwords exposed through data breaches or infostealer malware can quickly become tools for credential stuffing and account takeover.

A password audit gives IT teams a clear picture of password security risks across Active Directory so they can prioritize remediation efforts before attackers exploit them.

See the Password Auditor in Action

Watch how Enzoic for AD Lite scans your Active Directory domain and provides an instant overview of password security risks through a clean, easy-to-read dashboard.

Safe and Private

Your passwords remain secure throughout the audit process:

  • Only the first 10 hex characters of each password hash are sent to Enzoic.
  • Candidate hashes are returned and compared locally.
  • Partial hash data is never stored and is deleted immediately after processing.

This privacy-preserving approach ensures no sensitive credential data leaves your environment.

HOW IT WORKS

1. Register and Download
Create a free Enzoic account, select Enzoic for Active Directory LITE, and download the installer. Install the lightweight auditor on any domain-joined Windows system with administrator privileges.

2. Scan Passwords Safely
Compares credentials against Enzoic’s continuously updated database of billions of compromised passwords using privacy-preserving partial hash matching — your full password hashes never leave your environment.

3. Review Results
View a dashboard summarizing password security risks across your Active Directory environment, including:

  • Compromised or exposed passwords
  • Weak or common passwords
  • Reused or shared passwords
  • Empty passwords
  • Accounts with passwords set to never expire
  • Stale or inactive accounts

Enzoic’s Password Auditor vs. Enzoic for Active Directory

Start with Enzoic’s free password auditor to assess password security risk across Active Directory, then upgrade to Enzoic for Active Directory for continuous monitoring, advanced reporting, and automated protection.

Enzoic for AD Lite Password Auditor

Active Directory password audit with summary reporting

  • Instant visibility into password security risks
  • Password health metrics across your Active Directory environment
  • 100% free — no license key required

Frequently Asked Questions

What is provided in the password audit report?

The password audit scans your entire Active Directory environment and provides a summary of your organization’s password security posture. Summary metrics include the total number of users, administrator accounts, compromised passwords, weak passwords, shared passwords, accounts with passwords set to never expire, and stale accounts.

The report also includes a sample of user-level results. Organizations that require full user-level reporting, continuous monitoring, and automated remediation should use Enzoic for Active Directory.

No license key is required for the password auditor. This is a free product.

Enzoic for Active Directory supports any 64-Bit Windows Client or Server. It can be run from any domain joined system using an account in the Administrators Group that can access the Internet.

Enzoic for Active Directory LITE evaluates passwords based on Enzoic’s database of 8+ billion compromised passwords and is updated several times each day. A database of this size could not be practically downloaded.

Enzoic rate limits the audit at 10 calls per second. Auditing a domain of 500 user takes about a minute. An audit of 10,000 users can be completed in under 20 minutes. That’s checking against a database of +8B entries!

Enzoic for Active Directory LITE uses a partial hash comparison approach through Enzoic’s Password API. This allows you to check whether a given password is known to be compromised, without the exact password or hash leaving your environment. It is only necessary to supply the first 10 hex characters of a hash. A list of candidate hashes will then be returned and compared locally with the exact hash to determine if there is a match. The partial hash data is not stored by Enzoic and is actively deleted from our server memory when this process is completed.

Enzoic collects two types of vulnerable passwords:

  1. Exposed refers to compromised passwords found in data breaches and
  2. Weak refers to passwords found in cracking dictionaries. Neither should be considered safe for use.

The full Enzoic for Active Directory is a complete solution for keeping vulnerable passwords out of your organization and complying with current NIST guidelines. It adds a customizable password policy within Active Directory to protect against unsafe passwords. It includes a custom password dictionary, blocks username derivatives, and checks fuzzy matches with common leetspeak substitutions. It then does automatic, continuous auditing to determine when a safe password becomes vulnerable. Remediation is also automated, including notification, password reset or disabling accounts. Learn more here