Password robustness audit

Test the robustness of your Active Directory passwords with statistical cryptanalysis.

“A single compromised corporate account (login and password) can lead to the compromise of an organization’s Information System.”
RetEx from SYNETIS teams during offensive audits.

The health of an Information System is very closely linked to the passwords it contains. Employee or service provider accounts, application accounts, service accounts, administration accounts… All these passwords are highly prized and targeted by external attackers, but also by malicious or careless internal actors.

Despite the presence of bastions, identity federation and strong authentication, what’s really going on in terms of hygiene and compliance with internal password policy? And what does a robust password policy really guarantee?

Judge the overall strength of passwords using statistical cryptanalysis

A password audit using statistical cryptanalysis enables you to assess the overall strength of your employees’ Active Directory passwords, as well as those of service or administration accounts. From this, we can deduce a potential compromise rate (proportion of weak passwords).

The aim is also to make users more aware of the weaknesses in their passwords, an essential lever in strengthening security levels.

Today, on average, Synetis breaks over 50% of passwords in less than 5 hours.

Discover the benefits of a password audit

A password audit, whether one-off or recurring (every 3 or 6 months), provides decision-makers with concrete statistics, indicators and metrics:

How many user accounts can be compromised in X hours?
How can a password be broken, by what method and in how long?
What is the breakdown of password-protected accounts?
What are the top 10 passwords used by employees?
What are the most frequently used "basic words"?
What is the password length distribution?
What is the overall password strength index for employees (Standards, ANSSI, etc.)?
How does my company compare with others in the same sector?
How robust is the cryptographic and password policy of a given repository?
If this service is carried out on a recurring basis, it is possible to evaluate the evolution of the overall security level of the company's passwords.

Rely on a rigorous, proven approach

Our assessment approach covers the following aspects:
Secure transmission of your NTDS directory;
Algorithmic discovery, frequency analysis and hash formatting ;
Dictionary attacks (contextualized, common, leaks) ;
Hybrid attacks based on transformation rules ;
Frequency analysis and rainbow-tables ;
Brute-force attacks based on masks ;
Verification of compromise on sites that list leaked passwords;
Analysis of results and statistics ;
Restitution of results.

Benefit from a full appraisal report

A statistical cryptanalysis mission gives rise to a report containing all the results and indicators generated. It includes a list of recommendations, best practices and an action plan:

By length, by domain, by models / patterns / masks, by algorithms ;
By complexity (standard, ANSSI, Active Directory compliance) ;
Top 100 most frequently used passwords and base words(blacklist);
Percentage of passwords leaked in the past (DarkWeb) ;
Evolution of cryptanalysis over time(timeline);
And many other metrics to monitor the health of the IS through the passwords used.

Examples of deliverables

Why Synetis?

An overall percentage of successful breakage close to 80% for all areas, customers and sectors combined;
Millions of passwords analyzed ;
On average, 50% of passwords are broken in less than 5 hours;
Concrete, comprehensive results within 2 weeks of analysis;
This service is carried out using standard equipment, without supercomputers, for greater realism.

Are your passwords really secure? Synetis’ statistical cryptanalysis audit reveals your vulnerabilities and gives you the keys to correcting them.