Is this password generator safe to use?

Yes. All passwords are generated 100% client-side in your browser using JavaScript. No data is ever sent to or stored on any server.

Can I use this tool offline?

Yes. Once the page is loaded, you can disconnect from the internet and the password generator will continue to work perfectly.

What makes a strong password?

A strong password should be at least 16 characters long and include a mix of uppercase letters, lowercase letters, numbers, and symbols. Alternatively, use a passphrase of 4+ random words.

Auditing Active Directory & LDAP Password Quality

Technical Guide to Auditing Password Quality in Active Directory or LDAP

Maintaining a secure corporate environment is one of the most critical and complex tasks for any system administrator. Despite advanced firewalls and intrusion detection systems, the weakest link remains identity: user passwords.

Periodically auditing password quality in Active Directory or LDAP allows us to identify weak, duplicate, or compromised credentials before an attacker exploits them for lateral movement.

Step 1: Secure Export of Hashes

The first step is to safely extract the Active Directory database (ntds.dit). This should never be done in plain text or exposed outside the domain controller. The standard method is to use the native ntdsutil tool with the "Install From Media" (IFM) technique:

# Run on a Domain Controller as Administrator
ntdsutil
activate instance ntds
ifm
create full C:\ADBackup
quit
quit

This will create a copy of the database file and registry (SYSTEM) needed to decrypt NTLM hashes locally in an isolated audit environment.

Step 2: Extracting NTLM Hashes

Once the files are obtained, we can use open-source tools such as secretsdump.py (from the Impacket suite) to extract user NTLM hashes:

secretsdump.py -ntds C:\ADBackup\Active Directory\ntds.dit -system C:\ADBackup\registry\SYSTEM LOCAL -outputfile hashes.txt

The resulting file will contain the user identities and their corresponding NTLM hashes.

Step 3: Checking Against Leaked Databases (Have I Been Pwned)

To verify if any passwords have been previously exposed, we can cross-reference our list of hashes with the public database of Have I Been Pwned. This is done securely using the HIBP range API (via K-Anonymity) so the actual hash is never revealed.

Conclusion and Mitigation

Auditing identity systems is the best proactive defense. Once vulnerable users are detected, it is essential to enforce updates using secure, high-quality credentials.

Need to create robust and complex service credentials for your infrastructure? Do not let administrators invent their keys; use our Password Generator to secure your enterprise deployments with high-entropy keys.