The Authlogics Password Audit Tool is an application designed to assist Authlogics Partners to identify password-related security issues on their customer's Active Directory domain.
This readme provides further explanation about the sections in the reports and how to interpret the information found.
Password Audit Tool is delivered as a single command line 64-bit .exe file passtool.exe for Windows Server 2008 R2 and later. It requires Microsoft .Net Framework 4.6.1 or later to run, as well as a valid api key which can be obtained from Authlogics Support.
Type passtool /? to view the command line options supported by the tool.
Understanding the output generated by the Password Audit Tool
After each successful run, the data generated by the tool is analysed and an output folder is created containing a number of files - summary.txt, detail.txt and multiple files with a .csv extension.
Summary.txt contains an overview of each of the types of issues caused by password breaches. Each line is expanded on as a report section in the details.txt file, and the raw data for each section is provided in a corresponding .csv file for custom reporting purposes.
Accounts with passwords that have been found in previous breaches
User accounts with passwords that have been found in any breach. The password does not need to be related to the user in any way, just that this password was found in a breach somewhere at least once. This is a key part of the NIST 800-63 password guidelines, meaning this password should be changed to one that has not appeared in a breach to comply with these guidelines. The number in square brackets is the number of separate breaches found for this password hash.
Accounts with passwords that are commonly breached
User accounts with passwords that appear often in breaches (usually more than 100 times). This means that the password is often found in breaches and would mean it could appear in a list of common passwords bad actors would use to try gain access to an account. Because these passwords are commonly breached, these passwords should be reset and users should choose a password that has not been breached.
Administrator accounts with passwords that have been breached
The user accounts that have a password that has appeared in at least one public breach and also are members of one or more of the following Active Directory Groups: Administrators, Domain Admins, Enterprise Admins. Because these accounts have elevated privileges, the passwords should be changed to one that does not appear in a breach. Group membership appears in square brackets after each username.
Breached account passwords with identifiable information
These users have passwords that have been breached and list those with identifiable information, such as email addresses, that could allow bad actors to tie information in this password breach back to the user, allowing them to gain access to their account. The email address does not have to belong to a specific domain, the account details are used to look at full or partial matches for any email address information that could be used to identify the user. Each user password in the list should be immediately changed to a non-breached password if there is a suspicion that the email information supplied could identify the user account and allow a bad actor to gain access.
Breached accounts with matching emails and passwords
Lists users with breached passwords and email addresses that are tied directly to the active directory domain or to the domain supplied to the tool. Because both the identifying information as well as the passwords in the list match a known breach these accounts are highly likely to be compromised. These passwords for these accounts should be changed immediately to a secure, compliant password.
Accounts with shared passwords
List of users by password hash that share the same password. Shared passwords can be used to compromise multiple accounts and may be against local password policies or indicate that default passwords have not been changed.
Emails for this domain with breached passwords
List of all emails found in password breaches for the active directory domain or to the domain supplied to the tool. This list provides a good indication of the amount of user account information available for use by bad actors. It does not indicate that any of these accounts have passwords that have been breached, however, these accounts are at higher risk of being involved in a breach as they are publicly associated with this domain.