Specops Password Auditor

Overdue a password health-check? Audit your Active Directory for free.

Specops Password Auditor is a read-only audit tool that scans your Active Directory for password-related vulnerabilities. You’ll get all the results in an easy-to-understand interactive report of user and password policy info. It’s free to download – so take the first step towards better password security.

Download for free

Authentication and password security is more important than ever – but how do you fix a vulnerability you can’t see? Specops Password Auditor gives you the visibility you need to start remediating access security risks. A full audit of your Active Directory is the first step towards better password security, giving you an easy-to-understand view of password-related risks that could be access routes in waiting for opportunistic hackers. 

  • Audit your Active Directory accounts

    • Check user accounts and passwords against 1 billion vulnerable passwords obtained from data breach leaks 
    • Scan for weak and compromised passwords that could be used as entry points by attackers 
    • Audit your domain for stale or inactive privileged administrator accounts  
  • Analyze risk with password reports

    • Assess your domain password policies and fine-grained password policies to see if they’re enforcing users to create secure passwords 
    • Identify accounts with expired passwords, identical passwords, blank passwords, and more 
    • Measure the effectiveness of your policies against brute force attacks 
  • Align password policies with compliance standards

    • Measure your policies against industry standards and get a compliance score  
    • Comply with cybersecurity regulations (e.g. NIST, CJIS, NCSC, ANSSI,) and privacy regulations (e.g. CNIL, HITRUST, PCI)  

Auditing is the place to start your journey towards better password security. We’ve developed Specops Password Auditor to help organizations easily understand the problem they’re facing.


  • Overview of relative strengths of password policies including change interval and dictionary enforcement
  • Generate an executive summary PDF report to share your results with decision makers (available in English, French, or German)
  • Identify accounts using passwords from a list of over 1 billion compromised passwords
  • Export report data to CSV for further processing
  • Identify user accounts without a minimum password length requirement
  • Review administrator accounts and rights to help with least privilege implementation
  • Use standalone or integrate with Specops Password Policy for powerful management and remediation
  • Identify users who have not changed their password since a given date to help with a reset password directive or new password policy
  • Password expiration reports to curb password-related helpdesk calls
  • Identify dormant, stale, and inactive user accounts
Specops Password Auditor: Build a Solid Foundation for Password Protection
Specops Password Auditor provides a quick an easy method to get a view of how your organization is complying with company password policy. The drill downs allow me to view the information that is most important.
Paul M Sr. Infrastructure Analyst
Amazing lightweight tool which can be installed and used within minutes, provides key security information on what your users are doing with there password decisions and also there inactivity. Creates actionable spreadsheets and pdf’s so you can target the users who are using breached passwords.
Ryan C Infrastructure Engineer

Download Specops Password Auditor for free

Weak password security can create thousands of potential attack routes into your organization. Audit your Active Directory today and get a view of your password-related vulnerabilities.


Download free tool

Frequently Asked Questions


Specops Password Auditor will run a read-only scan of your Active Directory network. You can scan custom root, multiple OUs, or multiple trusted domains at once. You can also choose to anonymize username data in your results. Once your scan is complete, you can export results to a CSV or download an executive summary PDF to share with others. You can find more information on how to audit your Active Directory here. 

Specops Password Auditor can run from any domain joined workstation (Windows 8 and above, or Server 2012 and above), either as a regular user, or as a domain admin. For a full list of the requirements, please refer to the installation guide. 

Specops Password Auditor can run from any domain joined workstation (Windows 8 and above, or Server 2012 and above), either as a regular user, or as a domain admin. For a full list of the requirements, please refer to the installation guide.

Yes. Specops Password Auditor can compare password settings in your organization with industry standards, including: NIST, CJIS, PCI, HITRUST, NCSC, CNIL, ANSSI, and BSI. 

No. Specops Password Auditor is a reporting tool. It will only read information from Active Directory without making any changes. For more information, see Impact of running Specops Password Auditor on Active Directory

Yes. Specops Password Auditor flags issues that impact how well your password policies defend against attacks like the use of compromised passwords and more. For a specific strength rating, you can see an entropy rating for each scanned password policy.

You can share results at your discretion via a report export. You can download an overview of results via the Executive Summary report or you can export individual report results to CSV. Before sharing, you may want to consider configuring your scan to run with anonymous user data. Alternatively, if your colleague has appropriate privileges, you can direct them to download and run Password Auditor themselves.

No. The reports only flag which accounts have passwords issues but don’t reveal the password itself. Only one-way encrypted password hashes are compared, the product contains no link between hashes and plain text passwords, and no passwords are revealed.

Specops Password Auditor compares hashes from your AD to hashes in the downloaded Breached Password list.

The Breached Passwords report does not use clear text passwords. The MD4 hashes of the compromised passwords are compared to the hashes of the passwords from the domain. The hashes are not stored, they are read and kept in memory by Specops Password Auditor.

The executive summary report export includes advice on how to resolve specific issues in your scan. It also includes some severity ratings and an overall password vulnerability score to help you prioritize your fixes. For a proactive approach against breached passwords, use Specops Password Policy’s Breached Password Protection to actively block and prevent the use of breached passwords.

  • Nine ways MFA can be breached (and why passwords still matter) 
    Of all the access security recommendations you come across, multi-factor authentication (MFA) is arguably the most consistent. And there’s good reason many best practice recommendations and compliance frameworks now place MFA at the top of the list of security configurations needed to help protect against compromise. MFA can be the crucial layer preventing a breach,…
  • Impact of running Specops Password Auditor on Active Directory
    Specops Password Auditor (SPA), Specops Password Policy (SPP), and Breached Password Protection (BPP) are often used together to help organizations improve the security and password hygiene of their Active Directory (AD). They often run SPA first – why not, it’s FREE (download from here)! This tool gives you a good understanding of how bad the…