IT KORR Knowledge Center
Password Audit Checklist
A structured checklist for auditing an organization's current password posture before or during a security assessment.
Policy Review
- A written password policy exists, is dated, and has a named owner.
- The policy specifies minimum length, MFA requirement, and rotation stance.
- The written policy matches what is actually configured in the identity platform.
Technical Configuration Review
- Minimum password length enforced at 12+ characters.
- Breached/common-password screening enabled.
- MFA enforced for all users, with documented exceptions only.
- Legacy authentication protocols disabled.
- Account lockout threshold and duration configured.
- Password history depth configured, if applicable.
Credential Hygiene Review
- Sample a set of accounts for password reuse across systems (via the password manager's own auditing feature, not manual inspection of actual passwords).
- Confirm no shared logins exist on systems requiring individual accountability.
- Confirm service account credentials are stored in a secrets manager, not in scripts or configuration files.
- Confirm vendor default credentials have been changed on all in-scope systems.
Findings & Next Steps
Document every gap found above with a severity rating and an owner for remediation. Re-run this checklist at the cadence defined in your organization's written policy, or before any compliance assessment.
Related Resources
- Password Strength Checker — /tools/password-strength-checker
- Compliance Readiness Assessment — /tools/compliance-readiness-assessment