Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Password Security · Download

Password Audit Checklist

A structured checklist for auditing an organization's current password posture before or during a security assessment.

IT KORR Knowledge Center

Password Audit Checklist

A structured checklist for auditing an organization's current password posture before or during a security assessment.

Policy Review

  • A written password policy exists, is dated, and has a named owner.
  • The policy specifies minimum length, MFA requirement, and rotation stance.
  • The written policy matches what is actually configured in the identity platform.

Technical Configuration Review

  • Minimum password length enforced at 12+ characters.
  • Breached/common-password screening enabled.
  • MFA enforced for all users, with documented exceptions only.
  • Legacy authentication protocols disabled.
  • Account lockout threshold and duration configured.
  • Password history depth configured, if applicable.

Credential Hygiene Review

  • Sample a set of accounts for password reuse across systems (via the password manager's own auditing feature, not manual inspection of actual passwords).
  • Confirm no shared logins exist on systems requiring individual accountability.
  • Confirm service account credentials are stored in a secrets manager, not in scripts or configuration files.
  • Confirm vendor default credentials have been changed on all in-scope systems.

Findings & Next Steps

Document every gap found above with a severity rating and an owner for remediation. Re-run this checklist at the cadence defined in your organization's written policy, or before any compliance assessment.

Related Resources

  • Password Strength Checker — /tools/password-strength-checker
  • Compliance Readiness Assessment — /tools/compliance-readiness-assessment

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full Password Security Hub for the reasoning behind each recommendation, or use the Password Policy Generator for a fully configurable policy document.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT