Password Exposure Test (PET) Product Manual – Knowledge Base

The Password Exposure Test (PET) is a free tool that analyzes the passwords of the accounts in your Active Directory (AD) for numerous types of password vulnerabilities. Using this test will increase your organization's awareness by letting you know if you're susceptible to a password-related attack.

The PET results will display which user accounts failed the test, and what vulnerability or vulnerabilities they failed with. This information can empower you to enhance your internal security measures by training your users about password safety, enhancing your password complexity rules, or taking other actions to bolster your cybersecurity posture.

Use the jump links below to learn how to install PET and understand your results.

Jump To:
How Does the PET Work?
System Requirements/Prerequisites
Installation and Setup
Analyzing Your Results

Failure Types/Vulnerabilities Found
Additional Results

Frequently Asked Questions (FAQ)

I had several users fail the test. What do I do now?
Can I see what the weak and breached passwords are?
Can I run this test if I'm using Azure AD?
Can I run this test multiple times?
What is the WeakPasswords.txt document and what is it used for?
Where do you get your breach data from? Can I see it?
My anti-virus flagged this as dangerous. Is it?
Are any log files generated during the test?
I received an error message and my test did not run. What do I do?

How Does the PET Work?

The PET analyzes the following AD information in order to check for weak and vulnerable passwords:

Your AD password table (containing hashed passwords)
The encryption algorithm of your AD password table
The primary domain found in your AD tree

The PET also uses your business email domain to assess the amount of data that is publicly available about your organization.

It is important to note that this tool will never display or report the actual passwords of any user accounts in your AD. Passwords within AD are in a hashed format and will not be visible at any point. The test results will simply identify the user accounts that fail the test so you can decide how to remedy that.

Additionally, the data pulled from AD is encrypted. The information obtained during the test is saved in local memory, not to a disk. Your domains are the only data transmitted to us from your AD at any point during the test.

System Requirements/Prerequisites

System Requirements

To run the PET, the system you use must have the following:

Windows 10 or later (32 or 64-bit), Windows Server 2016 or later
Active Directory (AD), running on Windows Server 2008 R2 or later
Ability to access the domain controller (DC)
Internet access
.NET Framework 4.7.2 (will be installed if needed)
At least two processors
At least 2GB of RAM
At least 1GB of hard disk drive (HDD) space available on your system drive
User Account Control (UAC) enabled

You should also run this test on a system other than your DC as the scanning process can temporarily generate significant network traffic and CPU usage.

Prerequisites

For installation, you will need the following information:

A license key, emailed to you when you sign up for PET
Domain name of your AD (For example: MyDomain.com or MyDomain.local)
Name of your Domain Controller (DC)
Credentials to connect to your AD.

Important: The credentials you use to connect to Active Directory with the PET must have“Replicating Directory Changes” and “Replicating Directory Changes All” permissions for the test to run successfully. These permissions allow you to obtain a copy of your password table for analysis. For information on quickly adding required permissions to an account in AD, see our How to Grant "Replicating Directory Changes" Permissions article. For additional notes on these permissions, see the list below.

A domain admin does not have permission by default to access this information, so using the tool with a domain admin account will not necessarily allow you to run the test successfully.
We strongly recommend creating a new account in AD with these permissions for the purpose of running this test. Once the test is complete, you should delete this new account in accordance with the principle of least privilege.
Why create a new account? Creating a new account will make it easier to determine when this test took place and which account accessed the information, should you need to look for that information in the future. It also makes it easier to remove those permissions: once the test is done, simply delete the newly-added user account.

Installation and Setup

Once you have a system that meets the requirements and prerequisites, follow the steps below to complete the install.

Sign up for your free test by navigating to https://www.knowbe4.com/password-exposure-test.
Upon signing up, we'll email you a unique license key, which you'll need to enter prior to running the test.
Download and run the installer file for the PET. Review and agree to the License Agreement and then click Install.
Click Yes if prompted to allow the program to make changes.
The installation will begin, click Launch once the installation is complete.

Click Yes if prompted to allow the program to make changes.
Enter your unique License Key, which was sent to the email address you provided when signing up. Click OK.
Enter the following credentials, as shown in the image below.
- (a) The Domain name (DNS) of your Active Directory (For example, mydomain.com or mydomain.local)
- (b) The computer name of your Domain Controller (DC) (For example, DC1)
- (c) The Username and Password for the account you created which has "Replicating Directory Changes" and “Replicating Directory Changes All” permissions
After entering the above information, click Start Test when you are ready to begin your test.

Note: The PET has additional settings you can access by clicking the gear icon in the top-right corner of the window. In General settings, you can choose to include two optional vulnerabilities in your scan: AES Encryption No Set or Password Never Expires.

The test will analyze your organization's AD accounts and your results will be displayed on-screen as soon as the test is complete. This process usually only takes a moment to complete but may take longer depending on your AD and workstation performance.

Analyzing Your Results

Your PET results display the total number of AD accounts checked and specify the number of accounts that are considered vulnerable or not vulnerable.

Each of your AD accounts will be listed in the results table and a checkmark will indicate the specific vulnerability or vulnerabilities found on that particular account. You can also search for a specific account by entering characters into the search box.

The test also performs a data exposure assessment and calculates an Exposure Level percentage and Risk Distribution pie chart for your organization.

Refer to the details below to learn more about the different types of results available in your PET.

Vulnerable Accounts: Lists the total number of accounts that were assessed and found to have vulnerabilities.
Not Vulnerable: The number of accounts that were assessed and determined to not have vulnerabilities.
All Accounts: The total number of accounts assessed during your test.
Found Vulnerabilities pie chart: Compares all of the password vulnerabilities found in your AD and indicates which vulnerabilities are most prevalent in your organization.
Exposure Level: The percentage of your employees that were found to have publicly exposed data. Any account meeting at least one of the following failure types (found in the PET results table) contributes toward this percentage: Sensitive Info Exposed, Password Info Exposed, or Breached Password.
For more information on these failure types, please see the Additional Results section below.
Risk Distribution pie chart: A visual representation of the severity of the data that is publicly-available about your organization. Hover over the pie chart to identify the two segments or ranks of data exposure results, outlined below:
- High Risk: Results were found in publicly-available breach data, which could contain sensitive personal information about your employees. This information can be used to create a sophisticated social engineering attack against individuals or an organization.
- Very High Risk: Results were found in publicly-available breach data, where passwords were leaked during the breach. These password breaches included cleartext passwords or password hashes.
Rerun Test: You can click this button to rerun the PET.
Search: Use this search bar to find specific accounts in your results.
Export to Excel or Export to PDF: Use these options to export your PET results.
Checkmark icon: A checkmark icon indicates the type of vulnerability found on the account.
Failure Types/Vulnerabilities Found: You can click each of the failure types in the panel on the left-hand side to filter the results to only show the accounts having that vulnerability. See the next section for details on these failure types.

Failure Types/Vulnerabilities Found

The PET analyzes your data to look for 12 different failure types that can leave your organization vulnerable to an attack. The following table explains each of the primary PET vulnerabilities included in your results.

Weak Password: This failure indicates that the affected account's password matched one of those listed in our Weak Password dictionary. These passwords are either very common, easy to guess, or have been made available to attackers because of past data breaches.
Breached Password: This failure indicated that at the time of a data breach, the affected account's password matches a password that was associated with an email address at your domain. Your AD accounts are checked against a database of breached data that contains over one billion leaked passwords.
Password Info Exposed: This failure indicates that the affected account has been found in publicly available breaches that contain either cleartext passwords or password hashes. The results for this failure type are found in the fourteenth column in the results table.
Shared Password: This failure indicates that the affected account shares a password with at least one other account.
Empty Password: This failure includes accounts that do not have a set password.
Clear Text Password: This failure includes passwords that are stored in clear text in an Active Directory. This means the users' AD passwords are stored using reversible encryption.
Password Not Required: This failure includes accounts that have the capability of not having a password.
Password Never Expires: This failure indicates that the account has its password timeout set to zero. Because of this setting, even if the Password never expires check box in the user’s properties is unchecked, their password will never expire. The PET will check password expiration settings in your organization’s domain policies, fine-grained password policies, and user properties.
LM Hash Password: This failure indicates that the affected account uses a Local Area Network (LAN) manager hash, which is an antiquated method. These passwords are vulnerable to brute force attacks and can be cracked in seconds.
AES Encryption Not Set: This failure indicates that the account doesn’t use Advanced Encryption Standard (AES) to encrypt the user’s password. AES encrypts passwords with a 128-bit or 256-bit key. So, passwords that use AES encryption are less vulnerable to attacks.
DES-Only Encryption: This failure indicates that affected accounts were set up using the retired Data Encryption Standard (DES) mechanism. This could be a result of old software that doesn’t know how to react to AES.
Missing Pre-Authentication: This failure indicates that affected accounts have an important security mechanism turned off. Without these security mechanisms, the accounts may be at risk of brute force attacks. These attacks can occur offline and are difficult to detect. The security mechanism, when enabled, creates an encrypted authentication request so that attempts to authenticate to the account are logged.

Additional Results

Your PET results will display information on additional results beyond just the failure types. These additional details and failure types can help to determine which of your AD accounts are the most vulnerable, and therefore in need of the most immediate attention. See the list below for details.

Domain: Signifies which Domain is used in the corresponding AD account.
Sensitive Info Exposed: The affected accounts were found to have some of their identity information publicly visible, leaving them susceptible to phishing attacks.
Social Info Exposed: The affected account was found to have a public social media presence.
Password Last Modified: The date the password was last changed for the corresponding AD account.
Breach Entry Timestamp: The approximate date that the affected account was last involved in a breach.
Please see below for additional information about where we obtain our breach data.
Breach Info: Describes the type of breach the account was involved in (i.e., how the breach occurred, and what type of sensitive data was leaked as a result (if this information is available)).
Please see below for additional information about where we obtain our breach data.

Frequently Asked Questions (FAQs)

I had several users fail the test. What do I do now?
First and foremost, have the users with vulnerable accounts change their passwords immediately.
Secondly, train your users on proper password practices with security awareness training and remind them often. It is important for them to know that hackers can crack a password within seconds with the right tools in hand.
KnowBe4 offers several courses covering proper password practices, which can be used to train your users.
For many of the vulnerabilities, you’ll also want to enforce stricter password requirements in your organization. We strongly recommend increasing your password complexity requirements and setting a rule to ensure passwords expire on a regular basis.
While we cannot advise you on the specifics of how to remedy all of the password vulnerabilities in your organization, we can point you in the direction of some great resources that can help.
- TechNet: Configuring Password Policies
- TechNet: Best Practices for Enforcing Password Policies
- Microsoft: Password Guidance (Downloadable PDF)
Back to top
Can I see what the weak and breached passwords are?
No. The passwords are hashed and cannot be displayed.

Back to top
Can I run this test if I'm using Azure AD?
No. This tool will only work with a local AD.

Back to top
Can I run this test multiple times?
Absolutely. If you want to run the test again, click Rerun Test below the Risk Distribution pie chart. Be sure to download a PDF or Excel sheet of your current results before running a new test.

Back to top
What is the Weak Passwords dictionary and where can I find it?
The Weak Passwords dictionary contains over 11 million weak and compromised passwords from past data breaches. Hackers use similar dictionaries to attempt to crack your organization's passwords.
To find the Weak Passwords dictionary, navigate to the Password Exposure Test installation folder by following this path: “C:\ProgramFiles (x86)\KnowBe4\Password Exposure Test”. Then, open the data.bin file to view the Weak Passwords dictionary.

Back to top
Where do you get your breach data from? Can I see it?
The breached data shown in the PET is obtained through researching publicly-available breach information. For privacy and security purposes, the PET database is proprietary information. Additionally, KnowBe4 partners with Spycloud.com to search past breaches. Spycloud is a well-respected online resource which specializes in allowing users to search for their email address to see if their information has been made available in past data breaches.

Back to top
My anti-virus flagged this as dangerous. Is it?
No, it is not dangerous. The PET’s behavior could mimic that of a password-cracking tool used by hackers, which is why your antivirus may have flagged it as potentially dangerous.

Back to top
Are any log files generated during the test?
Yes. A log file is created when you run the PET. The file can be found under C:\ProgramData\KnowBe4\Password Exposure Test\DebugLogs.

Back to top
I received an error message and my test did not run. What do I do?
If you received an error and could not complete the test, check the chart below for common error messages and their causes.

Error Message	Issue
The Active Directory account you are attempting to run the test with does not have Replicating Directory Changes Permissions.	The account you are using for the test does not have the proper permissions. Make sure you've created an account with Replicating Directory Changes and Replicating Directory Changes - All Permissions. For more information, visit the System Requirements section of this article.
Test was unable to run due to invalid user name and/or password. Please check your credentials and try the test again.	We were unable to connect to your AD using the credentials you provided. Make sure your user name and password are correct and try to run the test again.
Server is unavailable. Please check your Domain DNS Name and try the test again.	This means your Domain DNS name is incorrect, or incorrectly formatted. Make sure you use the format of domain.com or domain.local and attempt to run the test again.
Server is unavailable. Please check your Domain Controller and try the test again.	This means your Domain Controller IP is incorrect, or incorrectly formatted. Double check the IP and attempt to run the test again.
The license validation failed.	This is likely to mean one of two things: a) either the license key you are using is invalid, or b) you are attempting to validate the license key through a proxy and it is failing as a result of that. If the error is due to a proxy, simply allow connections to the following domains in your proxy settings to allow the validation of your license key to occur: https://auth.knowbe4.com/* https://bpt.knowbe4.com/* https://eecpro.knowbe4.com/*