Release Notes

Current Release


Fixed issues

  • Expiration date for password could be incorrectly resolved.

Other changes

  • Added column "Time until password expire" to csv export for breached passwords report.
  • Added column "Account created" to stale users and stale admins reports.

Released July 02, 2024


Other changes

  • Updated French and German translations.

Released November 16, 2023


Fixed issues

  • Exporting Identical Passwords report could fail if disabled accounts were included.
  • Resolving Specops Password Policy GPO could fail if multiple GPOs were linked on the same OU level.

Other changes

  • Added a Password Compromised column to the Password Never Expires report.
  • Including accounts with no expiration due to Specops Password Policy length-based password aging in the Password Never Expires report.
  • Removed the Disallow Incremental passwords rule from the NIST template.

Changed requirements

  • Generating PDF reports requires Windows 10 or later.

Released October 11, 2023


Fixed issues

  • Improved error handling if reading nTSecurityDescriptor fails during scanning.

Released July 12, 2023


Fixed issues

  • Scanning for users could fail with an error message ("Object reference not set to an instance of an object.").

Released June 01, 2023


Fixed issues

  • Improved usability when scanning multiple domains and validating if user is permitted to read information from all domains.
  • A few sections in German pdf reports were in English.
  • A few sections in French pdf reports were in English.

Other changess

  • Increased range of maximum number of days from 360 to 366 in stale admins and stale user reports.

Released December 13, 2022


New functionality

  • New option to present anonymized scan results (to address privacy concerns).
  • Support for scanning multiple Active Directory domains.
  • Support for scanning multiple organizational units.
  • Updated compliance reports for CJIS, HITRUST CFS, NIST, PCI V4, NCSC, BSI, ANSSI, and CNIL.
  • New report Delegable Admins to show admin accounts that can be delegated (not having "account is sensitive and cannot be delegated" set).
  • New report Stale User Accounts, showing users who have not logged in recently.


  • Improved export of duplicate passwords report, with grouping of the duplicate passwords.
  • Added Expiration and Password last set to the breached passwords report.

Fixed Issues

  • For policies with SPP length-based password aging, presented policy information could be incorrect.

Released November 03, 2022


New functionality

  • New "Password Age" report, useful to determine which users have not changed passwords after a known breach.
  • PDF reports now available in French.
  • PDF reports now available in German.

Other changes

  • The blank passwords and identical passwords report were not displayed if no breached password list had been downloaded.
  • Added "last password change" and "time until password expires" to the breached passwords report.
  • Changed the default PDF report filename to include more information about the report options.

Released March 30, 2022


Improved functionality

  • The Identical passwords report has been made easier to navigate.

Other changes

  • Relative strength now uses entropy.

Released May 04, 2021


New functionality

  • New report to show users with ‘Password never expires’.

Other changes

  • New hostname for Breached Password Protection, see Installation (section Requirements)
  • Added index for same password report for readability.
  • Changed to save last download folder to per-computer rather than per-user, to avoid having multiple users on the same computer download the same list to different locations.

Released September 16, 2020


Fixed Issues

  • Fixed an issue where some reports were displayed even though data had not been collected for them.

Released July 20, 2020


New Features

  • Added PDF reporting, summarizing password security related findings.
  • Added option to select root for scanning, when not scanning the entire Active Directory.

Fixed Issues

  • Compliance report could fail to include dictionaries.

Released July 8, 2020


New Features

  • Due to the unprecedented global impact of COVID-19, Specops Software has enabled full functionality in Specops Password Auditor even with a trial license, enabling organizations to identify users who are running compromised/identical passwords on their AD accounts.
  • Additionally we have extended the ability to review the Expiring Passwords report up to a year in advance so that you can easily identify users whose passwords may expire while they are off the corporate network during the current global pandemic.

Fixed Issues

  • Installation could fail if .Net framework 4.8 was installed.

Released March 24, 2020


Fixed Issues

  • Fixed an issue where scanning users could fail and stop the entire scan process.

Released February 20, 2020


Other changes

  • Improved offline scan workflow (see Offline Scans for more information).

Released December 11, 2019


New Features

  • Added export option for all users with leaked passwords.

Fixed issues

  • Fixed an issue where the back navigation could fail after downloading a dictionary.

Released October 16, 2019


Fixed issues

  • Fixed an error that could happen if the user who is running SPA does not have permission to read users’ security group memberships.
  • Improved error handling if some password hashes cannot be read from the domain controller.

Other changes

  • Changed the structure of the Identical Passwords report to use two levels for increased performance.
  • Improved performance when reading user details.
  • Improved error messages when failing to access the Breached Password Protection Express online service.

Released August 12, 2019


Fixed issues

  • In some environments, looking up a user’s password hash could fail.

Released July 29, 2019


New Features

  • Added SamAccountName information to multiple reports.
  • Added email address information to the export of multiple reports.
  • Added distinguishedName information to the export of multiple reports.

Fixed issues

  • In some scenarios, dictionary download timeouts caused the Breached Password Protection scanning to fail.

Other changes

  • The Identical Passwords report will now export all accounts instead of 50 accounts per group.
  • Responsiveness improvements when the Breached Password Protection scanning is cancelled (either manually or automatically due to an error).
  • Added configuration to enable SPA to use the default proxy when downloading the Breached Password Protection Express dictionary.
  • Improved the error message that is displayed if something goes wrong when scanning Active Directory.

Released June 19, 2019


New Features

  • New report that identifies user accounts with passwords that are known to be leaked. This feature compares the password hashes of user accounts with a list of leaked passwords from the Specops Password Breached Password Protection.
    • Note: For full feature functionality, you will need a license for Specops Breached Password Protection.
  • New report that identifies user accounts that have the same password.
  • New report that identifies user accounts with blank passwords (no password).

Released June 12, 2019


Fixed Issues

  • Fixed issue where scanning stopped if the “Password Settings” container for fine grained password policies was missing.
  • Fixed issue with writing default application settings in registry.
  • Registry writing from x86 installer on x64 OS was incorrect.

Other Changes

  • Improved error process if scanning fails.

Released May 5, 2017