Product: Specops Password Auditor
Learn more/Product Homepage: click here
Download Free: click here
One of the most important things that any organization can do to keep its resources secure is to practice good password security. But how do you know if your passwords measure up? Specops has a free tool called Password Auditor that claims to be able to help. I decided to take Specops Password Auditor for a test drive to see how well it works.
Normally when I write a review, I like to try to install and use the product without looking at the documentation, because that way I can get a feel for how intuitive the software is. In this case, however, Specops sent me an email message containing several different links, and I accidentally clicked on the link to the installation documentation. As you can see from this link, the installation process could not be easier. The entire process consists of downloading the software and running a very simple Setup Wizard. In my case, the entire installation process (not counting the download) took less than ten seconds to complete.
Performing a password audit
When you launch Specops Password Auditor, you will be taken to a screen like the one that is shown in the figure below. As you can see in the figure, Specops has made it extremely easy to get started. All you have to do is to enter the name of your domain, and the fully qualified domain name of a domain controller within the domain, and then click the giant Start button. As if that were not easy enough, the Domain and Domain Controller fields were pre-populated on my test server, so I did not even have to provide Specops Password Auditor with any information. All I had to do was to click the Start button.
Before I begin talking about the scanning process, I want to point out some of the things that are displayed on the screen shown in the figure above. I absolutely love the fact that the software explains exactly what is going to happen, and how the information that it collects will be used. There is no technical jargon and no ambiguity. The software essentially tells you that it is going to scan your Active Directory and compare the settings within it to industry standards and best practices in order to generate a collection of reports. Furthermore, the screen tells you in no uncertain terms of the software will read information from the Active Directory, but will not make any changes.
Active Directory Scan
After clicking the Start button, I was taken to a screen that asked me if I wanted to perform a blacklist scan. As you can see in the figure below, Specops Password Auditor has the ability to download a database of vulnerable passwords so that the passwords used within the Active Directory environment can be compared against those passwords. For example, passwords that were exposed during data breach leaks are included in the database.
As you look at the screen capture above, there are two things that are worth paying attention to. First, the list itself is multiple gigabytes in size, so it is quite comprehensive. The version that I downloaded while writing this review was 4.56GB in size. Second, the list has an associated version number, so Specops presumably keeps the list up to date.
Once I finished downloading the vulnerability list, I restarted the software (even though a restart wasn’t actually required) and reinitiated the scanning process. When writing a software review, I almost always evaluate the software in a lab environment rather than trying it out in a production environment. This particular lab environment has a very small number of users, so I assumed that the scan would be fast. In actuality, the scan completed so quickly that if I had blinked, I would have missed it.
The results screen displays various key statistics in a dashboard view. Key information is displayed in a series of boxes that make it very easy to digest the information. As you look at the figure below, for example, you can see that I have one account that has administrative access, and I have four accounts in which passwords are not required. I can also see that the password policies are based on settings within the PoseyLabs.com domain. The Password Policy Compliance box shows a red indicator next to my domain, indicating that there are some password policy settings that need to be stronger.
As you look at the figure above, something else that you may notice is that the first three boxes are yellow, while the other boxes are blue. The yellow boxes provide summary information, but not details. For example, I can see that one account has a blank password, three accounts are using blacklisted passwords, and the Administrator account and two other accounts are using the same password as one another.
The reason why Specops Password Auditor only provides summary information without the relevant details is because Specops Password Auditor is a free product. If you want to know details such as which user has a blank password, which users have duplicate passwords, and who is using blacklisted passwords, then you will need to get a different Specops product called Specops Password Policy.
Although none of the user accounts in my lab environment had expired passwords, I once wrote a review for the previous version of the product. At the time of that review, Specops Password Auditor identified four accounts with expired passwords. I found that by clicking on the Expired Passwords box, I was able to determine which accounts had expired passwords, and could use that information to help to identify stale accounts that might pose a security risk.
So with that said, I want to go back to something that I briefly mentioned earlier. The Password Policy Compliance box contains a colored indicator that reflects the password policy’s health. In my case, this indicator was red. I found that if I click on this indicator, I am taken to a screen like the one shown below that lists various industry standards such as NIST and PCI. For each standard, there is an indicator icon that tells whether the current password policy is compliant, partially compliant, or non-compliant with the policy.
You can click on any one of these standards to see the areas in which your password policy does not measure up. As you can see in the figure below, Password Auditor does not clutter your screen with settings that are OK the way that they are. It only shows you the settings that you might want to address.
When I write a review for this site, I give it a rating from zero to five stars (with five stars being the highest possible rating). Although many of the applications that I have reviewed over the years have received favorable scores, I have only given a perfect score on the rarest of occasions. I believe that there is almost always something that can be improved.
In this case, however, I am breaking my own rule and giving Specops Password Auditor a perfect score. The software works flawlessly, the documentation is well written (not that you will need it), the software is easy to use, you can get it for free, and most importantly, it does something useful. I simply cannot justify giving Specops Password Auditor anything other than a well deserved perfect score.
Editor's Note: This article is an update of a review of an earlier version of the product originally published in March 2018. The earlier version of the product also received a 5.0 Gold Award rating.