CTA icon
How to Audit Passwords

How to Audit Passwords

Timothy Ware brings his education and experience into his writing to simplify complex topics in cybersecurity, physical security, and all things B2B SaaS. His work has appeared on many prominent websites including TeamPassword, Solink, Security Today, Baremetrics, Cova, and Databook, among many others. He welcomes you to reach on LinkedIn about anything and everything. You can find out more about Timothy at https://b2b-saas.io/.

August 21, 20239 min read

Password Management

If one member of your team uses a weak password, it exposes your entire network to threats. Likewise, if one member of your team reuses their strong password elsewhere and it is pwned, then your entire network is exposed. 

Passwords have become the main point of entry for hackers. Any password complex enough to garner security cannot be remembered easily, and with an ever-increasing number of passwords being needed, users often reuse them, which is a huge security risk. 

Between weak and reused passwords, your network is far less secure than it would be by design. The first step in rectifying this situation is to audit passwords on your network.

What is a Password Audit?

A password audit is simply using similar software as hackers to test your network against dictionary attacks, brute force attacks, and more. 

Special software is used to audit passwords. They attempt to break into your network similarly to nefarious actors to show you all of your password vulnerabilities, from weak passwords to pwned passwords, so that your network can realize maximum security.

Why Audit Passwords?

The fact is that passwords are fatally flawed: they need to be complex and unique, they need to be different for each site, you need to remember them, and you shouldn’t store them somewhere unsafe like on a post-it note on your monitor or an Excel file. Human nature is hard to avoid, and it runs counter to the aim of secure passwords. 

Built-in password generator.gif

Use a password generator to test the strength of your password

Of course, a strong password manager helps, but before you get the most out of the added security and convenience of a password manager, you need to be confident that the passwords being used to access your network are secure. 

Let’s assume everyone on your team understands that they shouldn’t reuse passwords and have chosen a unique one for their work login, as well as the logins for all the tools they use at work. That’s great.

Let’s assume you enforce password complexity to maximize security. That means everyone must choose a password with a minimum length of 12 characters and that it must have at least one each of lowercase letters, uppercase letters, numbers, and a set of characters. That is, it meets the following requirements: 

  • Lowercase letter {abcdefghijklmnopqrstuvwxyz}
  • Number {0123456789}
  • Character {!@#$%^&*()_+{}|:"<>?~`-=[]\;',./}

That’s great, too. But, is it enough? Well, to crack that password by trying 20,000,000,000 attempts per second, which is easily accomplished using a cloud computing platform, would take a maximum of approximately 6,600 years and an average of half that, or 3,300 years. Problem solved, right? 

Well, it depends on what kind of passwords your team is choosing. If they are picking truly random passwords, then it is unlikely anyone will ever crack those codes. But there’s a difference between passwords that can be brute force attacked and those that are easy to guess. For example, “Password#333” matches the requirements but isn’t going to take any longer than “password” to guess.

To understand this fully, we need to understand the difference between a brute force attack and a dictionary attack. The brute force attack starts with “aaaaaaaaaaaa,” then “aaaaaaaaaaab,” and so on until the password is found. 

A dictionary attack, conversely, tries every word in a dictionary. Although these dictionaries might include the entire Oxford English Dictionary, they go well beyond that and include the words commonly used as passwords and variations of those passwords. For example, in addition to “password,” they might include “p4ssw0rd”, “pa55word”, “passwordpassword,” etc. 

Passwords need to be safe from both, and auditing passwords will tell you whether you have either issue.

Don't let your company fall victim to extortion emails, credential stuffing, or any other password vulnerability. Let TeamPassword take care of security while you focus on growing a successful business!

‏‏‎ ‎‏‏‎ ‎

Sign up for a 14-day free trial to test TeamPassword with your team members today.

‏‏‎ ‎

How do you Audit Passwords?

To audit passwords, you need to use specialized software. We provide a list of several popular tools to audit passwords in the following section. But how do they work?

Essentially, the password auditing tools attempt to guess the passwords being used on your network. They do this through a combination of dictionary and brute force attacks, among other attacks, and then notify you about any other ways that the passwords might be compromised, for example, by being pwned.

Once you have performed a password audit, you can then notify any users whose passwords have been compromised or too weak so that they can change them.

‏‏‎ ‎‏‏‎ ‎

What are some tools to audit passwords?

You’ve decided to audit the passwords on your network, but what program should you use? Here are five popular password auditing apps. 


RainbowCrack is based on Phillippe Oechslin’s faster time-memory trade-off technique. It is a brute force hash cracker that generates all possible plaintexts and then computes the corresponding hashes on the fly. Next, it compares the hashes to the one that needs to be cracked. 

If a match has been found, then the plaintext has also been found. Conversely, if all possible plaintexts have been tested, but no match has been found, then the plaintext has not been found. 

RainbowCrack requires a pre-computation stage that involves time-consuming computations.


Wfuzz is another tool designed to brute force attack web applications. It was originally created to assess web applications, but it can also be used to find hidden resources, e.g., directories, servlets, and scripts.

Cain and Abel

Cain and Abel is a password recovery tool. It is available for Microsoft operating systems. It can help recover lost passwords by using several types of attacks. These include dictionary attacks, brute force attacks, and cryptanalysis attacks. 

It can also decode scrambled passwords, record VoIP conversations, reveal password boxes, uncover cached passwords, recover wireless network keys, and analyze routing protocols.

Cain and Abel was originally developed for use by network administrators, teachers, security consultants, forensic investigators, network penetration testers, etc.‎ ‎

THC Hydra

THC Hydra is a common choice for performing brute force cracks of remote authentication services because it can perform quick dictionary attacks on more than 50 protocols, such as Telnet, FTP, HTTP, https, smb, and various databases.

THC Hydra is a fast network login password cracking tool. New modules can be installed easily to enhance its features. It is currently available for Windows, Linux, Free BSD, Solaris, and OS X.


Ncrack is another fast network authentication cracking tool. It was originally designed to help companies improve the security of their networks by testing their hosts and network devices for poor passwords. 

Because Ncrack enables rapid, reliable, and large-scale password auditing, it is also used by security professionals. Furthermore, it has a flexible interface that gives the user full control of network operations. 

The protocols supported include RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, SIP, Redis, PostgreSQL, MySQL, and Telnet.

‏‏‎ ‎

What are common issues found when you audit passwords?

Weak Passwords

Weak passwords are too short, too simple, or too common. 

Too short and/or too common passwords can be found easily through brute force attacks because the total number of testable passwords before hitting the correct password combination is too low compared given modern computing capabilities. 

Common passwords - your child’s name, for example - are highly vulnerable to dictionary attacks. 

Whichever type of weak password is found, all affected passwords should be changed immediately.

Compromised Passwords

A “pwned” password is one that has been leaked online. This is when a username and password combination has been hacked on some site, so hackers can integrate those credentials into the ones they test when trying to break into other networks. 

Since people regularly reuse passwords despite all recommendations against the practice, these pwned passwords are likely to show up on your network, and they need to be changed asap. 

We recommend checking your email and passwords with the tool Have I Been Pwned

Identical Passwords

When an attacker gets one password, they’ll try it on thousands of accounts. If you reuse even one password, you’re compromising every account protected by that password. Each password must be unique. 

Expired Passwords

Depending on security requirements, passwords can expire. If expired passwords are found, they need to be changed. A good password audit will show currently expired as well as soon-to-be expired passwords.

Whatever issues are found during your password audit, the best thing you can do to prevent further issues is to help your users create strong passwords by providing a password manager. Only with TeamPassword can you facilitate your team in being proactive participants in network security. 

The best way to secure your IT infrastructure is to use a password manager that includes sharing features. TeamPassword offers AES 256-bit encryption and two-factor authentication so that only the right people can make sense of the passwords.

Before anyone can access the list of shared passwords, they must log in to the platform using their personal password and, should you choose to enforce multi-factor authentication (which we recommend), a short-term authentication code.

Teams often need to share passwords to access mutual accounts, but you don't have to put your data at risk to make this possible. Instead, use TeamPassword to securely generate, store, and share passwords within a team. 

Sign up for a 14-day free trial to test TeamPassword with your team members today.

facebook social icon
twitter social icon
linkedin social icon


TeamPassword Screenshot
A male volunteer stands in front of four other volunteers with his hands on his hips, smiling.

Password Management

May 29, 20247 min read

Best Password Manager for Nonprofits (2024)

Nonprofits have unique needs in software, from lower budgets to less tech-savvy staff or no dedicated IT staff. ...

Electrician in hardhat

Password Management

May 27, 202412 min read

6 Best Password Managers for the Trades (Electricians, Plumbers, HVAC, Contracters)

Wondering how to organize your passwords as an electrical, HVAC, plumbing, or any other contracting or trade business? ...

KeePass logo with arrow pointing to 10 alternatives

Password Management

May 15, 202410 min read

Top 10 KeePass Alternatives for 2024

KeePass is a solid software for certain use cases, but there are a few reasons you might look ...


TeamPassword は、チームのIDとパスワードを保存および共有するための、最も速く、最も簡単で、最も安全な方法です。