Password Resilience Assessment

A lock can look reassuringly sturdy on the door and still happen to open to a key that half the street already owns. Password strength is exactly like this - far more measurable than most organisations realise, and frequently far weaker than a policy suggests. Our Password Resilience Assessment evaluates how your organisation's passwords would withstand a determined offline attack, not in theory, but by demonstrating, against your actual password hashes and under strict controls, precisely how many would fall and how quickly. It is the natural technical companion to our Credential Theft Assessment, and the number it produces is usually a sobering one.

Why Passwords Are So Weak

It is worth being honest about this from the start: most passwords are considerably weaker than the people who chose them believe, and the fault is not really theirs. Human beings, left to invent and remember passwords unaided, are remarkably predictable. We reach for names, dates, seasons, the company we work for, a favourite team, a keyboard pattern - and when a complexity rule demands a capital, a number, and a symbol, we satisfy it in the most predictable way imaginable: a capital at the front, an exclamation mark and a year at the end. "Summer2024!" passes almost every corporate policy and sits among the first few thousand guesses any attacker would try. A password that felt effortful to remember often carries far less genuine unpredictability than its length suggests.

Reuse makes this worse. The average person now juggles dozens of accounts, and without a password manager the only way to cope is to use the same handful of passwords everywhere. That means a password is rarely confined to your systems: if a member of your staff has reused one on a site that was later breached - and breaches are constant - then that password is, in effect, already public, sitting in one of the enormous credential dumps that circulate freely. The honest working assumption for anyone not using a password manager is that at least one of their passwords is already known to attackers. None of this reflects carelessness. It reflects the fact that human-chosen passwords are simply a weak mechanism being asked to do a job they were never well suited to.

How An Attacker Cracks Them

The reason weak passwords matter so much is that the tools for breaking them are extraordinarily good, freely available, and require little expertise to run. When an attacker obtains a set of password hashes - from a breach of your systems or anyone else's - they do not sit and guess by hand. Tools such as hashcat and John the Ripper drive modern graphics hardware to test billions of candidate passwords every second against fast hash algorithms, and they are far cleverer than blind brute force: they work through wordlists built from real leaked passwords, then apply rules that mimic exactly the human habits described above - capitalising, appending years, swapping letters for lookalike digits - so that the predictable password falls first, not last. Against live login systems rather than stolen hashes, automated tools such as Hydra carry out the same guessing online, at speed, against any service that will keep accepting attempts.

Two technical details decide how quickly this succeeds. The first is whether the stored hashes are salted - given a unique random value each - because without salting an attacker need not crack anything at all: they can simply look the hash up in a precomputed rainbow table, and public services such as CrackStation will reverse an unsalted hash of a common password in moments. The second is the hash algorithm itself: fast, general-purpose functions such as MD5, or the NTLM hashes Windows uses, can be attacked at enormous speed, whereas the deliberately slow, memory-hard functions designed for passwords - bcrypt, scrypt, Argon2 - are dramatically more resistant. Part of what our assessment establishes is not only how weak your passwords are, but how much the way they are stored is helping or hurting you.

Handled With Care

The material is as sensitive as material gets, and we treat it accordingly. We report on patterns, weaknesses, and statistics rather than exposing individual plaintext passwords gratuitously, and we agree the handling and destruction of all material in advance, performing the cracking on infrastructure we agree with you. The findings consistently illuminate the gap between a password policy that looks robust on paper and the genuinely weak, predictable passwords that complexity rules permit - and frequently encourage. We give particular attention to service and administrative accounts, whose passwords are often old, over-privileged, and crackable entirely offline without ever triggering a lockout. We recognise that password resilience testing may inherently run into data privacy concerns for individuals within your organisation, and will only conduct testing with the consent of the individuals in question and in compliance with data protection regulations.

Why Better Rules Are Not The Answer

The instinctive response to weak passwords is a stricter policy - longer minimums, more character classes, more frequent changes. The uncomfortable truth, now well recognised by the bodies that set security guidance, is that this barely helps and often backfires. You cannot, in practice, compel a person to choose a genuinely unpredictable password, and harsher rules mostly push people towards the predictable patterns that satisfy the letter of the rule while remaining easy to crack, or towards writing passwords down where they can be found. If an attacker knows your password rules, they may even make passwords more predictable, not less. Guidance from the UK's National Cyber Security Centre and from NIST in the United States now reflects this: both have moved away from enforced complexity and routine expiry, and towards length and memorable passphrases, the screening of new passwords against known-breached datasets so that a compromised one is refused at the point it is chosen, and - above all - reducing how much rests on passwords in the first place.

That last point is where the real remedies lie, and we are direct about them. The most effective single change for most organisations is to take password creation out of human hands entirely by adopting a password manager, such as the open-source KeePassXC, so that every password is long, random, and unique to one account - and reuse simply stops being possible. Multi-factor authentication then ensures that even a cracked or leaked password is not enough on its own. And the endgame, increasingly practical, is to remove the password from the equation altogether by moving to passkeys: a passkey keeps its secret half on the user's own device and proves identity by signing a challenge, so nothing crackable ever crosses the network, and there is no shared secret left to steal or guess. We can advise on each of these; their implementation connects to our Security Engineering work, while the cultural shift to using a password manager is exactly the kind of change our Staff Training supports. In the meantime, our Password Resilience Assessment can demonstrate the necessity of such changes.

The Benefit For Security Teams

Are you a managed services provider, security operations centre, or internal IT or security team at a larger organisation? Have you been telling your clients or employers for years that they need to update their passwords, utilise password managers, adopt multi-factor authentications, or migrate to passkeys? Have you been ignored, stonewalled, or had your requests put on indefinite hold? Look no further: our Password Resilience Assessment provides a direct demonstration of how vulnerable your client's or employer's passwords really are. It's harder for an executive or director to treat password weakness as a marginal concern when they can watch their password being cracked in real time. Our goal is to provide the kind of irrefutable illustration of weak passwords that can give an actual impetus for adopting the recommendations you've likely been making for years already.

What You Receive

You receive a quantified, evidence-backed measure of your password resilience: what proportion of your passwords fell, how quickly, the patterns that drove the failures, and how much your hashing and storage helped or hindered. Alongside it come clear recommendations - breached-password screening, the move to password managers and multi-factor authentication, and the longer road to passkeys.

We are candid about what this assessment is for. It will not, by itself, make your passwords strong; that is the work of the changes above. What it does, better than any policy document or awareness poster, is make the problem undeniable. Few things move an organisation to act like a single sentence its leadership cannot argue with: this proportion of our staff passwords were recovered, in this much time, with tools anyone can download.