Most businesses don’t realize they have a password problem until an issue forces them to acknowledge it, such as an admin password kept in a spreadsheet, or login credentials that remain active for team members who left your company years ago. 

This is a common occurrence. In the UK, the government’s Cyber Security Breaches Survey 2024(nytt fönster) found that 50% of businesses identified a cyber security breach or attack in the previous 12 months, rising to 70% of medium businesses and 74% of large businesses.

In this situation, a password audit is one of the most valuable actions your business can take to stay safe. It’s a practical way to uncover credential risks that tend to build quietly in the background through weak passwords, unauthorized access, dormant accounts, and logins stored outside approved systems. 

For small and mid-sized organizations in particular, this kind of review can help make meaningful security improvements without spending money or conducting a complex transformation program.

This article explains how to conduct a password audit for your business, what to look for, and how to turn the process from a one-off clean-up into a more consistent security practice.

What is a password audit?

A password audit is a systematic review of the passwords, accounts, and access permissions used across a business. Its purpose is to identify credential-related risks such as weak passwords, reused passwords, outdated logins, inactive accounts, excessive access, and credentials stored outside approved systems.

In practice, a password audit goes beyond checking whether a password is strong enough. It also looks at:

  • How passwords are managed across your organization
  • Who has access to what and whether that access is still necessary
  • How passwords are stored and shared
  • Whether your business has enough visibility to spot risk before it becomes a security issue

This broad scope is what makes a password audit useful. In most organizations, credential risk isn’t created by a single bad password. It builds gradually through small failures in oversight, inconsistent access controls, poor storage habits, and accounts that remain active long after they should have been reviewed or removed.

An effective password audit helps bring those issues into view. It gives businesses a clearer understanding of their current password hygiene and creates a practical basis for improving access control, tightening credential management, and reducing avoidable exposure over time. This kind of review is much easier to conduct when you’re using a business password manager with admin tools that support visibility, access review, and policy enforcement.

How to run a password security audit: a practical five-step framework

A useful password audit doesn’t need to begin with a perfect map of every account, tool, and access path in the business. It just needs a clear structure and a controlled system for managing credentials. Without these two things, the process can quickly become too broad and too easy to postpone. 

The way to break the cycle of avoiding password audits is to centralize password management, define ownership, and review access through one approved workflow.

Here’s an in-depth guide to running your own password audit:

Step 1: Create a full credential inventory

Start by building a working inventory of the systems your business depends on. That includes the obvious core platforms, such as:

  • Email
  • Finance tools
  • Cloud storage
  • Collaboration software
  • CRM systems
  • Admin consoles
  • Any environment that holds company or customer data

It should also include less obvious tools and services operating in your network:

  • Shared social accounts
  • Dormant SaaS subscriptions
  • Contractor tools
  • Test environments
  • Services adopted by individual teams without central oversight

Cataloguing every tool is important because most credential risk starts with incomplete visibility. If you don’t know which tools are in use, you can’t review how access is being managed across them.

Businesses that already use a business password manager such as Proton Pass for Business begin their password audit with a practical advantage because credentials live in encrypted vaults.

Step 2: Map access against business need

Once you have a clearer view of your systems, the next step is to examine access. You need to review whether the right people still have the right level of access to the right tools.

Start by looking at each key system and asking who currently has access, if it reflects their present responsibilities, and whether any accounts carry broader permissions than necessary.

In many businesses, access expands gradually over time. Broad admin rights can be granted for convenience and never removed, for instance. Contractors may retain access after a project ends, or team members may change roles and keep permissions from previous ones.

That kind of drift increases risk even when the password itself is strong. The NCSC’s guidance(nytt fönster) on access control recommends assigning accounts to authorized individuals only, and giving users the minimum access and permissions they need, since anyone can become a liability. A password audit should therefore examine the reason behind each access level.

Step 3: Do a password health check

This stage of the password audit is for identifying any reused or weak passwords, inactive two-factor authentication (2FA), outdated logins, and insecure storage habits that make compromise more likely.

At this point, the review should focus on a few practical questions:

  • Are passwords unique to each account?
  • Are any passwords weak or easy to guess?
  • Are old credentials still being used and unaccounted for?,
  • Are employees writing down their passwords in browser storage or note-taking apps instead of business-approved systems?
  • Is 2FA enabled everywhere it can be?

Proton Pass for Business helps you with Pass Monitor, which includes: 

  • Password health check tools for automatically detecting repeated or weak passwords and inactive 2FA
  • Dark Web Monitoring for alerting you if your credentials are involved in breaches
  • Proton Sentinel for detecting and blocking suspicious login activity that may lead to account takeover

Step 4: Review inactive accounts

One of the fastest ways to reduce credential risk is to simply remove what no longer needs to exist. Most businesses accumulate inactive accounts over time. For example:

  • Former employees that still have access to your company’s tools
  • Old SaaS platforms that remain tied to valid company credentials long after adoption has trailed off
  • Shared accounts designed for short-term use that end up staying live for months or years because no-one knows who owns them

These accounts attract less attention than active ones, which makes them especially easy to overlook. This review is also closely aligned with broader compliance discipline.

A strong business password review needs to include a deliberate effort to:

  • Remove dormant access
  • Close obsolete accounts
  • Confirm clear ownership for the systems that remain

Proton Pass for Business helps reduce the friction that often keeps these accounts alive by making ownership clearer, access easier to review, and credential changes easier to manage when people leave or roles change.

Step 5: Remediate and standardize

The final step is to turn what you found into action. A password audit only improves your organization’s security if the issues it uncovers are addressed in a structured way.

Once you have identified gaps, you can build a plan that is systematic rather than reactive. Here is a simple password audit checklist:

  • Immediately change weak or exposed credentials.
  • Replace reused passwords with unique ones.
  • Enable 2FA everywhere, starting with critical accounts.
  • Remove inactive or unnecessary accounts.
  • Revoke excess privileges.
  • Move credentials out of spreadsheets, documents, or browser storage.
  • Consolidate password storage into an approved business system.
  • Update your password and access policies.

This is also the right moment to align technical action with policy. If your current password policy is vague, unenforced, or unrealistic, your audit will simply surface the same problems again in six months.

Password audits and password policies work very well together: Proton’s guide to creating a password policy is a strong companion resource. And you can get started easily with our password policy template.

Remediation needs to prioritize by risk, not by neatness. Start with admin accounts, systems containing sensitive data, externally exposed services, and shared credentials with poor ownership. Then work outward.

Why do businesses skip password audits?

If password audits are so useful, why do so many businesses not bother conducting them? The process can feel harder to begin than it actually is.

In many organizations, credentials are stored in too many locations to review easily. Some employees save passwords in browsers. Others keep them in spreadsheets, shared documents, notes apps, or internal messages. 

Different teams may use their own tools, buy software independently, or manage access informally. As a result, the business can lose track of which systems are in use and who has access to them, making it difficult to identify and address security risks.

The absence of a centralized system makes this even harder. Without a single location to manage business credentials, even a basic password security audit can turn into a manual exercise built on guesswork, screenshots, and individual memory. Many SMBs postpone reviewing their password practices because they assume it will require a full-scale security project. In reality, the first step is simply to create structure around what already exists.

Password audits are also often overlooked because credential risk tends to build quietly. Unlike a software outage or a phishing incident, poor password hygiene isn’t always obvious. Weak passwords, unnecessary access, dormant accounts, and informal sharing practices can remain in place for months without drawing attention. By the time they are noticed, they are often deeply embedded in day-to-day operations.

A password audit brings this hidden risk to the surface. It collects evidence and gives an organization the visibility and ownership it needs to strengthen access control, improve storage practices, and make more consistent security decisions.

Turn your password audit into an ongoing control

A password audit becomes much more valuable when it is part of an ongoing practice rather than a one-off review. Credential risk keeps growing if it isn’t addressed. Access changes as people join, leave, change roles, adopt new tools, or work with external partners for limited periods. If a review only happens once, the findings begin to age almost immediately.

Centralized password management is your best investment. It gives IT teams more than a secure place to store credentials. It creates the visibility and control needed to review access more consistently, enforce stronger standards, and respond faster when something needs attention.

Choosing a password manager for IT teams supports this operational model through effective admin dashboards, centralized administration, team policies, role-based access, SCIM provisioning, SSO, and audit logs, turning password management into a stronger operational and compliance control.