🔒 100% client-side • Your policy data never leaves your browser

Password Policy Auditor

Score your Active Directory, Entra ID, or custom password policy against NIST 800-63B, ASD Essential Eight, and modern security standards. Get specific, actionable findings — not vague advice.

⚡ Quick Start — Try a Common Policy

🏚️ Legacy AD

8 chars, 90-day rotation, complexity

🏢 Typical SMB

10 chars, 365-day, MFA on admins

🛡️ Modern (NIST)

12+ chars, no rotation, MFA all

🏆 Best Practice

15+ chars, passphrase, FIDO2

Minimum Password Length Characters required. NIST recommends ≥8, ASD recommends ≥14 for E8 ML2+.

Maximum Password Length Some systems cap at 16 or 20 — this is a red flag.

Complexity Requirements NIST 800-63B §5.1.1.2: Do NOT impose composition rules. ASD aligns with NIST on this.

Password Expiry (days) 0 = no expiry. NIST says no periodic rotation. ASD E8 ML1-2 allows no rotation if breached-password checks exist.

History (remembered passwords) How many previous passwords are blocked from reuse.

Account Lockout Threshold Failed attempts before lockout. 0 = no lockout (dangerous). NIST: rate-limit after 100 attempts.

Lockout Duration (minutes) 0 = admin must unlock. NIST prefers throttling over hard lockout.

Multi-Factor Authentication ASD E8 ML2: MFA for all users. ML3: phishing-resistant MFA. NIST: MFA at AAL2+.

MFA Methods Allowed NIST 800-63B: SMS is "restricted" — vulnerable to SIM swap. Hardware tokens are strongest.

Breached Password Checking

Do you check passwords against known breached/compromised password lists (e.g., HaveIBeenPwned, Azure Password Protection)?

Custom Banned Word List

Block company name, product names, seasons, "password", etc.

Password Manager Policy NIST 800-63B §5.1.1.2: Verifiers SHOULD allow paste (password manager friendly).

Allow Paste in Password Fields

Blocking paste breaks password managers. NIST explicitly requires allowing paste.

Separate Privileged Account Policy ASD E8 ML2+: Privileged accounts need stronger controls including separate credentials.

Paste Your Policy Text We'll parse common formats: GPO exports, Intune/Entra policies, plain-text policy documents.

📋 Framework Compliance

Framework	Status	Key Gap

🔍 Detailed Findings

Want the full picture?

A password policy audit is just one piece. We can assess your entire identity security posture — Active Directory hardening, Conditional Access, privileged access management, and Essential Eight compliance.

Book a Free Assessment →