Credential Security

Find weak passwords before attackers do.

We extract and analyse Active Directory password hashes offline, identifying weak, reused, and compromised credentials that could give an attacker easy access to your network.

Get in Touch View Our Methodology

What we offer

Credential security, audited thoroughly.

Offline Analysis

Password hashes are extracted and analysed offline using industry-standard cracking techniques. No passwords are tested against live systems, eliminating any risk of account lockouts.

Comprehensive Coverage

We audit every account in your Active Directory environment, including service accounts, admin accounts, and dormant accounts that are often overlooked.

Actionable Results

You receive a clear breakdown of password strength across your organisation, with specific recommendations to improve your password policy and reduce credential risk.

Scope

Areas we can test.

Extensive Password Coverage

Dedicated GPU infrastructure lets us crack passwords across a wide range of structural patterns and real-world password behaviours, backed by extensive wordlists enriched with breached credentials.

Password Policy Review

A review of your current Active Directory password policy against modern guidance, with practical recommendations to strengthen length, complexity, reuse, and lockout settings to reduce the likelihood of successful credential attacks.

Pattern Analysis

Broken passwords are grouped by the predictable structures they share, such as capitalised first letters, trailing months or years, and company name variations, letting you target additional training at users relying on weak or common patterns.

Password Scoring

Every broken password is individually scored, with additional weighting applied to high-privileged accounts so the report reflects the real risk of each credential within its privilege context, making it clear where a weak password matters most.

Password Length Distribution

Analysis of password lengths across all broken accounts, identifying the proportion that fall below recommended thresholds or the minimum length defined in your current AD password policy.

Duplicate Password Detection

Identification of accounts sharing the same password, highlighting the risk that compromise of one account could grant access to others.

How we work

Our methodology.

Step 01

Scoping

We agree the scope of the audit, access requirements, and any specific account types or domains to prioritise.

Step 02

Hash Extraction

Secure extraction of NTLM password hashes from your domain controllers for offline analysis.

Step 03

Cracking

GPU-accelerated cracking using dictionary, rule-based, and brute force techniques, plus comparison against breached credential databases.

Step 04

Analysis

Broken passwords are categorised by pattern, length, duplication, and account privilege to surface the most impactful weaknesses.

Step 05

Reporting

Clear, categorised results showing password strength distribution, reuse patterns, and specific policy improvement recommendations.

What you receive

Your deliverables.

Password Analysis Report

Cracking success rates, pattern analysis with character mapping tables, duplicate password identification, password length distribution, and per-account scoring.

Password Recommendations

Practical guidance on improving password hygiene, including passphrase adoption strategies, policy recommendations, and user education advice.

Findings Debrief

A walkthrough of the results with your technical team, covering key findings, pattern trends, and priority actions, with time for questions.

Ongoing Support

Post-engagement support from the Illume team to answer questions about findings and remediation guidance.

FAQ

Frequently asked questions.

Why should passwords be audited?

Password policies alone cannot detect predictable patterns, duplicate credentials, or passwords that technically meet complexity requirements but are still easily cracked. Auditing reveals what your policy misses by testing passwords against the same techniques a real attacker would use, giving you an evidence-based picture of your organisation's credential risk.

How is data protected?

Data is anonymised and remains so throughout the cracking process, with access strictly limited to authorised Illume personnel only. Final reports identify which accounts hold weak passwords, but passwords themselves are never disclosed.

Can this cause account lockouts?

No. All analysis is performed offline against extracted password hashes. No authentication attempts are made against live systems, so there is zero risk of account lockouts.

What access do you need?

We provide a bespoke PowerShell script that safely extracts the NTDS database from a domain controller and packages it ready for secure transfer, so your team can run the extraction themselves without granting us direct access. If the password audit is being carried out alongside an internal penetration test, we can complete the extraction ourselves as part of that engagement.

How often should password auditing be done?

We recommend auditing at least annually, and after any changes to your password policy. Regular auditing helps you track whether password hygiene is improving over time and catches newly weak credentials.