Finding breached, reused, blank, and weak passwords in your environment is a great way to improve its security. Specops Software Password Auditor is a tool that provides visibility to these types of accounts. In this review of its latest features, we see how to use Specops Password Auditor to secure user accounts in Active Directory.

There is no question that one of the weakest points of your organization's security defenses is account passwords. Attackers are constantly looking to compromise user accounts as a way into your network. Once an account is compromised, an attacker can move laterally across your network and attempt to compromise additional accounts, including administrator accounts.

Attackers often use lists of breached passwords in what is known as a password spraying attack to find passwords for your user accounts. Gaining visibility to accounts that use weak or reused passwords can be difficult when left to manual means. Specops Password Auditor is a really powerful tool that can help you find accounts in your environment that use breached, weak, identical, blank, and other types of dangerous passwords.

In this review of the latest features, we will take a closer look at the dangers of password spraying and see why traditional defenses are not enough. We'll look at Specops Password Auditor and see how you can use it in your environment to make user passwords more secure against these types of attacks.

What is password spraying?

Cybercriminals are constantly looking for easy ways inside your environment. One of the most direct ways that attackers gain access to environments is by way of compromising user passwords. Password spraying refers to a method attackers use to try a number of different passwords against a large number of user accounts.

This is a variation of the traditional brute force attack, in which a large number of passwords are tried against one account. Traditional defenses have been employed in most environments that help to circumvent the traditional brute force attack, including account lockouts.

Password spraying attacks can generally circumvent many of the traditional protections, such as account lockouts, since the attacker usually sprays a single password against multiple accounts before trying a different password. In this way, attackers can stay under the protective thresholds of account lockout policies and other security mechanisms.

What is Specops Password Auditor?

First, let's take a closer look at what Specops Password Auditor is and how it can help IT admins with making Active Directory passwords more secure in their organizations. Specops Password Auditor is a free tool available from Specopssoft that allows quickly scanning your Active Directory environment for password vulnerabilities across your user accounts. It scans your Active Directory users for common password vulnerabilities, including:

  • Blank passwords
  • Breached passwords
  • Identical passwords
  • Admin accounts
  • Stale admin accounts
  • Password not required
  • Password never expires
  • Expiring passwords
  • Expired Passwords
  • Password policies
  • Password policy usage
  • Password policy compliance

It scans various Active Directory user account attributes, including:

  • pwdLastSet
  • userAccountControl
  • lastLogonTimestamp

As you can tell by the various scans, it is a very thorough tool. It helps to gain visibility into many passwords risk factors across an Active Directory environment and aggregate this vulnerability information in a single dashboard for easy viewing.

Specops Password Auditor enables easily creating executive report summaries of password information and vulnerabilities found in the environment. It also allows you to compare your password policies against the recommended settings according to industry best practices. This allows a sanity check of sorts for easily auditing your password policies.

Specops itself does not expose your organization's data when checking passwords. Keep in mind that the actual passwords are not transmitted or stored by Specops. It uses the hash values of known breached passwords to check against the hash values of Active Directory user passwords to know whether the password matches one found in a previous breach. The hashes are only stored in memory briefly and are never transmitted, so again, they make sure your password data is never exposed.

New Specops Password Auditor features

Specops has tweaked the Password Auditor app with its latest version, 7.5. New features to note with this release include the following:

  • Added the option to select the specific scan target
  • Provides a new executive summary feature
  • Extended the trial license to include full functionality since the COVID-19 pandemic as well as the ability to view expiring passwords up to a year in advance, until the end of this year

Specops Password Auditor installation and usage

Installing the Specops Password Auditor app is easy. You can get the latest version of Specops Password Auditor here.

The install process is basically a "next, next, finish" process. You can choose to launch the program after the installation is complete.

Installing the latest version of the Specops Password Auditor

Installing the latest version of the Specops Password Auditor

When Specops Password Auditor is launched, it will ask you to configure your Active Directory information, including:

  • Domain: your FQDN domain name
  • Scan Root: you can choose the root of the domain or a specific OU (new feature)
  • Domain Controller: configure a domain controller for the scan

Notice that below I have clicked the Scan Root button (…). This enables selecting the scan target if you only want to scan a particular OU, etc.

Configuring Specops Password Auditor Active Directory scan

Configuring Specops Password Auditor Active Directory scan

Once you have configured the Active Directory scan settings, you then configure handling of breached passwords. You either scan for breached passwords or you can choose to skip the scan as well. Specops Password Auditor downloads the breached password information locally to the machine from which you are running Password Auditor.

Once you have the download directory configured, click the Start Scanning button to begin the Active Directory scan using the Password Auditor.

Chosing the breached password options and location

Chosing the breached password options and location

As noted on the information page for the breached passwords, this is a fairly large data set. I looked at the properties of the download folder, and it was just a little under 5 GB. Keep in mind that this is a good thing. The larger the data set, the more breached passwords the solution is checking your environment against.

Properties of the downloaded breached passwords folder

Properties of the downloaded breached passwords folder

After you click Start Scanning, the scan will run against your Active Directory environment. As you can see, it searches through the available users, looks at password policies, checks for breached passwords, and performs other operations. Once it is complete, click the Show Result button to display the results dashboard.

Running the Specops Password Auditor scan

Running the Specops Password Auditor scan

The results of the scan are displayed in individual tiles. I like how they emphasize the findings that you'll want to give your attention to with the red numbers, which display the number of findings in that particular category. As you can see, I have findings in the breached passwords, identical passwords, stale admin accounts, password never expires, and expired passwords categories. Specops Password Policy provides a very quick, easy way to see accounts that fall into these categories.

Displaying the results dashboard in Specops Password Auditor

Displaying the results dashboard in Specops Password Auditor

It provides an easy way to drill down deeper into the categories and the particular findings for a category. If you click one of the tiles, you get a more detailed view of the accounts found. This includes details such as the location, last logon time and date, and the password policy the user is subject to. You can also export this list of user accounts to further document, triage, or remediate.

Accounts that contain breached passwords found in Active Directory

Accounts that contain breached passwords found in Active Directory

Another nice feature to note here is that Specops Password Auditor can show you accounts that are expiring up to a year in advance. This is part of the functionality that Specopssoft has extended to organizations as part of their contribution to helping organizations during the COVID-19 pandemic.

Viewing expiring passwords with Specops Password Audito

Viewing expiring passwords with Specops Password Audito

As mentioned earlier, a great new feature of Specops Password Auditor is that it is now able to create a very nice Executive Summary Report that details findings in your Active Directory environment. The report details the risk level and notes how many accounts are affected by the findings. Additionally, you get direction on corrective actions and remediation of the findings.

Click the Get PDF Report option.

Click the Get PDF Reporr button

Click the Get PDF Reporr button

Below is the first page of a 15-page executive summary report created from the Active Directory scan from Specops Password Auditor. These are very professional, detailed reports that can be used for management as well as for compliance documentation.

Specops Password Auditor executive summary report available after a scan

Specops Password Auditor executive summary report available after a scan

Wrapping up and impressions

Overall, I was impressed by the functionality and capabilities of the Specops Password Auditor tool. It was easy to download, easy to configure, and easy to perform a scan of an Active Directory environment. However, don't let the simplicity of the product fool you. It provides a wealth of visibility and capabilities that enable quickly giving attention to problematic user accounts from a security perspective. In this quick review, I only scratched the surface of the functionality here.

The dashboard and the executive summary reports enable you to easily see and prioritize action items for remediating password issues in the environment. With security, visibility is key. Nine times out of ten, IT admins do not realize the various user accounts that may exist in the environment with blank passwords, passwords that never expire, and those that are stale. In addition, the breached password check is a great way to determine whether you have user accounts with passwords that have previously been compromised in a data breach. This tool allows you to find the accounts before an attacker does.

Subscribe to 4sysops newsletter!

The best part? Specops Software has extended full features to the trial version of the tool until the end of this year. Be sure to check out Specops Password Auditor here.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account