How long does a password security audit take?

For mid-sized enterprises (500-5,000 employees) a thorough password security audit typically spans 30 days across discovery, assessment, and reporting phases.

What happened with the Louvre's password security?

ANSSI auditors discovered default passwords such as 'LOUVRE', unrotated vendor credentials, and shared admin accounts protecting physical security, HVAC, and visitor management systems, exposing the museum to losses exceeding $102M.

Which password audit findings require immediate remediation?

Default credentials on internet-facing systems, privileged accounts without MFA, shared admin credentials stored plaintext, service accounts with interactive logon, and break-glass accounts without alerting represent critical risks requiring rapid remediation.

How the Louvre Lost $102M to a Password You Could Guess in 5 Seconds (And How to Audit Your Organization Before You're Next)

Q: What is a password security audit?

A password security audit is a systematic review of how credentials are created, stored, rotated, and protected across every system in an organization, including default credentials, legacy systems, shared accounts, MFA coverage, and emergency procedures.

The Louvre Museum guards the Mona Lisa. Priceless art. World heritage. Ten million visitors per year.

Their network password? "LOUVRE." I wish I was joking.

In 2024, French cybersecurity agency ANSSI ran a penetration test on the world's most visited museum. Their auditors walked in like digital tourists and walked out with administrative access to HVAC systems, security cameras, visitor management, and building controls.

The remediation estimate? $102 million.

And here's what keeps me up at night after a decade of consulting with Fortune 500 companies: the Louvre isn't special. They're just the museum that got audited publicly.

Your organization probably has the same password sitting on some forgotten router installed by a contractor in 2019. The same shared admin account that five people use. The same vendor credentials that haven't been changed since the system was deployed.

You just haven't been audited yet.

Let me show you how to fix that before someone else finds these gaps for you.

TL;DR: Your 90-Second Audit Reality Check

The uncomfortable truth:

Default passwords aren't just on routers anymore (hello IoT, building systems, and cloud consoles).
Shared credentials destroy accountability faster than they save five minutes.
MFA gaps on privileged accounts put you one phish away from total compromise.
Legacy systems become credential debt the day you can no longer patch them.

What actually works:

A 30-day structured audit that combines interviews, scanning, and governance reviews.
Risk-based prioritization - fix the internet-facing defaults today, not next quarter.
A recurring schedule that treats credential hygiene as operations, not a one-time project.

Bottom line: The Louvre didn't fall to zero-days or nation-state hackers. They fell to "LOUVRE" typed into a login form. Your audit needs to catch the same failure before attackers do.

Why the Louvre Failed (And Why Your Organization Might Too)

I spent three months helping a manufacturing company recover from a breach. The attacker didn't use sophisticated malware or exploit an obscure vulnerability. They logged into an edge router using the default admin credentials printed in the manual.

The router was installed six years earlier by a vendor who's no longer under contract. Nobody remembered it existed. It sat there broadcasting its presence on Shodan, waiting for someone to try "admin/password." Someone did.

This is the Louvre problem at scale.

Systems get deployed. Vendors do the installation. They hand you a sticky note with temporary credentials. You mean to change them. Then production deadlines hit. Then that vendor leaves. Then the person who was supposed to change those passwords moves to a different department.

Now it's 2025 and somewhere in your network infrastructure is a device still using "admin123" that everyone forgot about.

Three structural failures I see in every credential audit:

Shadow IT proliferation: Marketing launches a SaaS platform. Sales spins up a customer portal. Facilities adds smart building controls. Nobody told IT. Nobody updated the asset inventory. Nobody changed the default credentials.

Compliance checkbox mentality: You pass your annual audit. Everyone celebrates. Then 364 unmonitored days allow temporary accounts to become permanent and shared credentials to multiply.

Decentralized ownership: IT manages network gear. Security handles user accounts. DevOps controls cloud infrastructure. Facilities owns building automation. Everyone assumes someone else is watching the credentials in their domain. The gaps live in the seams.

The Louvre showed us what happens when these structural problems meet a competent auditor:

What ANSSI Found at the Louvre	What Happens at Most Organizations
Default vendor password "LOUVRE" unchanged for years	Credential rotation tracked in spreadsheets nobody updates
Shared admin accounts across multiple teams	Service accounts used by humans, destroying audit trails
No MFA on infrastructure management consoles	"We'll add MFA next quarter" becomes "maybe next year"
Legacy systems excluded from security assessments	"Too old to support modern auth" becomes a permanent excuse
Emergency credentials stored in unencrypted spreadsheets	Break-glass procedures work once, then nobody tests them again

You're not protecting the Mona Lisa. But the math is the same. One default password. One shared credential. One forgotten system. That's all it takes.

What You're Actually Auditing (The 7 Areas That Matter)

A complete password audit answers three questions:

Where do credentials exist in your environment?
Who actually owns them?
What controls prevent misuse?

Most organizations can't answer the first question, let alone all three. Here's the framework mapped to NIST SP 800-63B and CIS Controls v8 that mirrors ANSSI's Louvre audit.

Area 1: Default and Vendor Credentials (The "LOUVRE" Problem)

What you're looking for: Factory defaults on network gear, building automation with vendor credentials, cloud consoles with unchanged initial logins, IoT devices advertising baked-in passwords.

Why this kills you: Default passwords are in attacker dictionaries. If Shodan can fingerprint your device, someone is already trying them.

Audit actions: Pull the inventory, document default changes, verify policy compliance, confirm vendor credential rotation.

Pass/fail: Defaults changed within 24 hours, logged in the CMDB, with a vendor rotation plan.

Area 2: Legacy System Passwords (Windows Server 2003 Is Still Out There)

What you're looking for: End-of-life operating systems, industrial controls, proprietary apps that can't support modern auth.

Why this kills you: Legacy systems can't adopt phishing-resistant authentication, turning technical debt into credential debt.

Audit actions: Identify every legacy system, document compensating controls, enforce unique credentials, and assign a migration timeline.

Pass/fail: Legacy systems are isolated, monitored, and on a retirement or modernization track.

Area 3: Shared Credentials Across Teams

What you're looking for: Shared service accounts, admin passwords in shared vaults, API keys in repos, vendor logins everyone knows.

Why this kills you: Shared credentials erase accountability.

Audit actions: Catalog every shared credential, demand justification, store them in systems with logging, map usage to individuals.

Pass/fail: Unique credentials per user whenever possible; remaining shared access is mediated via PAM/vaults with full attribution.

Area 4: Password Age and Rotation Policies

What you're looking for: Credentials older than your security improvements, passwords belonging to former employees, API keys predating rotation policies.

Why this kills you: Old credentials predate modern monitoring.

Audit actions: Run age reports, verify rotation triggers, retire pre-improvement credentials.

Pass/fail: Rotation is event-driven per NIST SP 800-63B.

Area 5: MFA Coverage Gaps

What you're looking for: Admin consoles without MFA, remote access lacking second factors, password-only cloud management.

Why this kills you: One phished password without MFA is game over.

Audit actions: Assign risk levels, compare enrollment vs. user lists, remove bypasses, require hardware keys/FIDO2 for critical roles.

Risk Level	Access Type	MFA Status	Acceptable Methods
CRITICAL	Domain & cloud root admin	Mandatory	Hardware token, FIDO2, smartcard
HIGH	Database & financial systems	Mandatory	Authenticator app, hardware token
MEDIUM	VPN, remote access, email	Mandatory	Push notification, authenticator (SMS only as temporary fallback)
LOW	Internal line-of-business apps	Optional	Context-based or device trust

Area 6: Privileged Account Management

What you're looking for: Inventory of privileged accounts, encrypted vaulting, session monitoring, automated rotation, just-in-time provisioning.

Why this kills you: Privileged accounts are nuclear launch codes.

Audit actions: Inventory, encrypt, monitor, rotate, and time-limit every privileged credential.

[2025-10-18 14:23:41] admin-rotate-script | SUCCESS | AWS-PROD-ROOT | Credential rotated
[2025-10-18 14:23:42] admin-rotate-script | SUCCESS | AZURE-GLOBAL-ADMIN | Credential rotated
[2025-10-18 14:23:43] john.smith@company.com | ACCESS | DB-PROD-ADMIN | Session ID: a8f7e3
[2025-10-18 14:28:19] john.smith@company.com | LOGOUT | DB-PROD-ADMIN | Duration: 4m 36s
[2025-10-18 15:47:02] ALERT | susan.jones@company.com | BREAKGLASS-01 | Emergency access

Area 7: Emergency Access Procedures (Break-Glass)

What you're looking for: Documented break-glass workflows, tamper-evident storage, immediate alerting, post-use reviews, forced rotation.

Why this kills you: Emergency accounts without controls become stealth backdoors.

Audit actions: Inventory, secure, alert, test, and expire every break-glass credential.

How to Actually Run This Audit (30-Day Timeline)

Week 1: Discovery and Scoping (“What do we actually have?”)

Build the inventory across identity, SaaS, on-prem, cloud, network, facilities, IoT.
Assign owners for each domain.
Run credential scanners (with written approval) to catch default and weak credentials.

Weeks 2–3: Assessment Execution (“Ask questions, verify answers”)

Interview owners with the checklist and demand evidence.
Review authentication logs for privileged anomalies and MFA bypasses.
Validate password manager, PAM, and break-glass workflows.

Week 4: Analysis & Reporting (“What does this mean?”)

Classify findings using the risk matrix.
Assign owners, deadlines, and budgets.
Produce executive summaries focusing on impact, cost, and residual risk.

Risk severity matrix

Likelihood	Critical Impact	High Impact	Medium Impact	Low Impact
Very Likely	CRITICAL	HIGH	HIGH	MEDIUM
Likely	HIGH	HIGH	MEDIUM	LOW
Possible	HIGH	MEDIUM	MEDIUM	LOW
Unlikely	MEDIUM	LOW	LOW	LOW

Impact definitions: Critical = physical security, large-scale PII, financial systems. High = production admin control. Medium = internal applications. Low = isolated systems.

Likelihood definitions: Very likely = default credentials or missing MFA on exposed systems. Likely = weak rotation or MFA gaps. Possible = inconsistent processes. Unlikely = layered controls and strong monitoring.

Red Flags That Mean “Drop Everything and Fix This Now”

Default credentials on internet-facing systems: Change them immediately.
Privileged cloud access without MFA: Enable MFA before continuing.
Shared admin credentials in plaintext: Move them into an encrypted vault.
Service accounts with interactive logon rights: Remove human access or convert to named accounts.
Break-glass accounts without alerting: Configure notifications right now.

Priority guidance: Treat these as active incidents. Fix them before you resume the audit.

After the Audit: How to Actually Fix Everything

Quick Wins (Days, Not Weeks)

Change default credentials on exposed systems.
Enable MFA on every cloud infrastructure console.
Move shared admin passwords into a monitored vault.
Disable dormant privileged accounts.

Strategic Improvements (This Quarter)

Deploy or expand privileged access management.
Extend MFA to VPN, remote access, and finance platforms.
Implement service account governance with rotation schedules.
Document and rehearse break-glass procedures with multi-person approvals.

Long-Term Initiatives (This Year)

Retire or isolate legacy systems that can't support modern authentication.
Adopt identity governance for provisioning, access reviews, and deprovisioning.
Pilot passwordless authentication for high-risk roles.
Automate credential monitoring with anomaly detection.

The Password Security Audit Checklist (Pass/Fail Criteria)

Use these questions during interviews and evidence collection. Minimum passing responses are noted for each area.

Area 1: Default & Vendor Credentials (Pass requires Q1, Q2, Q5)

Do you maintain an inventory of all network, IoT, and vendor-managed devices?
Were default administrative credentials changed within 24 hours of deployment?
Are vendor-provided credentials rotated when vendor staff change?
Is credential ownership verified during vendor handoffs or system transfers?
Can you produce documentation showing when each system's default password last changed?

Area 2: Legacy System Passwords (Pass requires Q1, Q2, Q3)

Have you identified all systems past end-of-life?
Do those systems have documented compensating controls (isolation, monitoring)?
Are legacy credentials prevented from being reused on modern platforms?
Is there a migration timeline for systems that cannot support MFA/SSO?
Are password complexity requirements equal to or stronger than modern systems?

Area 3: Shared Credentials (Pass requires Q1, Q3, Q4)

Have you cataloged every shared service account, admin credential, and API key?
Are business justifications documented and reviewed annually?
Are shared credentials stored in a managed vault with access logging?
Canyou map which individual accessed a shared credential and when?
Is there a timeline to eliminate或 individualize shared credentials?

Area 4: Password Age & Rotation (Pass requires Q1, Q2, Q3)

Canyou report password age for all human and service accounts?
Do documented procedures trigger rotation after suspected compromise?
Are credentials rotated when employees change roles or exit?
Doyou retire credentials created before major security upgrades?
Haveyou eliminated arbitrary rotation in favor of risk-based triggers?

Area 5: MFA Coverage (Pass requires all five questions)

Haveyou categorized systems/accounts by risk level?
Is MFA enforced on all administrative and privileged accounts?
Is MFA required for all remote access paths (VPN, RDP, SSH)?
Do cloud management consoles enforce MFA for every user?
Are phishing-resistant methods (hardware keys, FIDO2) required for critical systems?

Area 6: Privileged Account Management (Pass requires Q1, Q2)

Doyou maintain a full inventory of privileged accounts?
Are privileged credentials vaulted或 encrypted?
Are privileged sessions monitored or recorded?
Are credentials automatically rotated after use or on schedule?
Doyou provide just-in-time access for administrative tasks?

Area 7: Emergency Access Procedures (Pass requires Q1, Q2, Q3)

Are break-glass procedures documented for identity outages?
Are break-glass credentials stored securely with tamper evidence?
Does usage trigger immediate alerts and incident review?
Are procedures tested annually through tabletop exercises?
Do break-glass accounts have expiration或 periodic recertification?

Scoring guidance: 28–35 "Yes" answers = mature program. 21–27 = acceptable but needs targeted improvements. 14–20 = significant vulnerabilities. Below 14 = systemic credential failure.

Important: This checklist supplements formal audits. Regulated industries still require qualified assessors.

Key Takeaways (The Stuff You Actually Need to Remember)

The Louvre lost $102M not to elite attackers but to "LOUVRE" typed into a login prompt.
A 30-day credential audit using interviews, scanning, and governance reviews uncovers the same gaps inside your org.
Prioritize fixes by risk: remove shared credentials, enforce MFA, vault privileged access, and retire or isolate legacy systems.
Password risk is living risk. Schedule recurring reviews and treat them as operations.

Your organization guards something more valuable than art: operational continuity, customer trust, and brand reputation. The math works the same. One default password. One shared credential. One forgotten system. That’s all it takes.

Need Help Closing These Gaps?

I've spent ten years helping organizations implement the recommendations in this guide. Sometimes you need an outside perspective to find the credentials everyone forgot or the controls everyone assumes someone else implemented.

Six Sense Solutions delivers enterprise observability and security audits - password manager rollout included - in 30-day engagements. We’ve helped Fortune 500 companies and small teams alike close credential gaps before they become headlines.

Schedule a consultation to protect your organization before you become the next Louvre.

Frequently Asked Questions

What is a password security audit?

A password security audit reviews how credentials are created, stored, rotated, and protected throughout your environment. It answers: Where do credentials exist? Who owns them? What controls prevent misuse?

How long does a password audit take?

Medium-sized enterprises (500–5,000 employees) typically complete the assessment in about 30 days: discovery in week one, execution in weeks two and three, analysis and reporting in week four. Larger organizations often run parallel workstreams per business unit.

What did ANSSI actually find at the Louvre?

Auditors logged in with default passwords - including "LOUVRE" - and found shared vendor credentials plus missing MFA on systems controlling physical security, HVAC, and visitor operations. The remediation cost exceeded $102M.

Which findings require immediate remediation?

Default credentials on exposed systems, privileged accounts without MFA, plaintext shared passwords, service accounts with interactive logon rights, and break-glass usage without alerts all justify emergency changes.

Sources & Further Reading

NIST SP 800-63B: Digital Identity Guidelines
CIS Controls v8: Control 5 & Control 6
ANSSI: Security Audit Framework and Methodology
Louvre remediation cost estimates reported by French media (2024–2025).

Disclaimer: This guide is for educational purposes and general security improvement. Engage qualified security professionals for compliance-driven or regulated assessments.