Active Directory Password Analysis


­­Active Directory Password Analysis

Verify the actual security of your password policy in Active Directory

Improsec performs an Active Directory Password Analysis to assess the password length, complexity, usage and strength for regular users, administrators and service accounts. This includes the use of “weak” but compliant passwords such as “Winter2018!” and “November2018”.

You will furthermore gain insights into, if passwords used by administrators and for service accounts are sufficiently strong and how hard it would be to gain access to a regular, or an administrative, user account.


  • Get an overview of the actual quality of passwords that are being used across the environment and across the different account types – regular users, administrators and service accounts

  • Get insights into password length, strength, complexity and the most common passwords used. This demonstrates the actual security level and may provide input for content of upcoming awareness campaigns and/or password policy changes

  • Concrete recommendations for enhancing the password quality in the environment


The deliverable of the analysis is a written report containing the following:

  • A non-technical section with an Executive Summary for management and decision makers

  • A technical section including detailed observations, statistics and tangible recommendations

Findings listed in the report can be used and applied in user awareness campaigns - and with more analyses performed over time, trends can be followed.


The password analysis is performed on extracts of your Active Directory database. We will initially spend up to a week cracking the database using very high performing equipment. Afterwards we will analyse the output using various specialized tools.

Data in transit will be encrypted using strong (currently AES 256-bit) encryption. Data will be kept in an isolated and dedicated environment at Improsec to ensure the confidentiality of data. Likewise, the report will also be encrypted using strong encryption. Data will be permanently destroyed after the final version of our report has been delivered.


The delivery requires minimal involvement of your technical staff. Primarily assistance is needed to extract encrypted passwords from the domain.


Download full description as PDF file