.svg)
The Security Audit Dashboard is divided into six distinct sections. Each surfaces a different dimension of credential risk. Together, they give administrators a layered view — from organization-wide score down to individual vault details.
Privacy note: All metrics on this dashboard reflect aggregated, vault-level statistics only. Administrators cannot see any actual item details. Only aggregated audit metrics are transmitted from user devices.
Security Audit Score
The Security Audit Score reflects the overall credential health of your organization, aggregated across all user vaults. Each vault also carries its own individual score calculated using the same logic.
The score is influenced by the following factors:
-
Critical Alerts — Compromised passwords and breached passwords
-
Attention Required — Weak passwords and identical / reused passwords
-
Vault master password strength — The strength of the user's vault master password
The score maps to a health label:
|
Score |
Health Label |
Meaning |
|---|---|---|
|
90% and above |
High |
Strong credential hygiene |
|
70–89% |
Medium |
Some risks present; remediation recommended |
|
60–69% |
Low |
High risk; prompt action required |
|
Below 60% |
At Risk |
Critical issues requiring immediate attention |
A vault is also marked At Risk regardless of its score if any of the following are true:
-
It contains one or more compromised or breached passwords.
-
Its vault master password strength is rated Very Weak or Weak.
Two supporting counters are shown alongside the organization score:
-
Vaults — Total number of vaults across all users in the organization.
-
Passwords — Total number of passwords stored across all vaults.
Critical Alerts
Critical Alerts highlight the highest-severity risks in your organization — conditions that indicate credentials have already been, or are at immediate risk of being, exploited.
Breached Websites
Counts credentials stored in Enpass where the associated website is known to have suffered a data breach. A non-zero count does not necessarily mean the password has appeared in known breach datasets, but serves as a precautionary signal that the site was compromised and the stored credential should be reviewed and rotated as a precaution.
Enpass maintains a local database of known breached website domains, synchronized from Enpass servers. If a password was created for a site before that site was breached, it will be flagged. All checks happen locally on the Enpass app and no data is sent to any external server.
Compromised Passwords
Counts passwords that have been identified as compromised because they appear in known breach datasets. These credentials should be changed immediately.
Compromised passwords represent the most urgent remediation priority. Even a single compromised credential can be a vector for credential stuffing or unauthorized access. Compromised password checks are powered by the HaveIBeenPwned service. The check is privacy-preserving and uses a method called k-anonymity. Enpass hashes each password and sends only the first 5 characters of that hash to the service. A list of matching hashes is returned and the actual comparison happens locally on the device. The full password and its complete hash are never sent to any external server.
Policy dependency: Whether this check runs is controlled by the Check for Compromised Passwords setting in the Password Audit Policies section of the Admin Console. Admins can enforce it organization-wide or disable it.
Attention Required
This section surfaces passwords that are not yet compromised but represent elevated risk due to poor hygiene practices.
Identical Passwords
Counts passwords that are reused across multiple accounts or sites. Password reuse means that a breach of one service can cascade to others. A single leaked credential becomes a key to every account sharing that password.
SSO Identical Passwords
Identifies items where a user has reused their Single Sign-On (SSO) password on other accounts. SSO credentials are particularly sensitive because they often gate access to multiple systems. Reusing SSO credentials on external services significantly amplifies the impact of any breach of those services.
This check only works if your organization's SSO domains are configured in Password Audit Policies and user has added their SSO credentials in Enpass Vault.
Weak Passwords
Counts passwords that do not meet minimum strength thresholds. Enpass uses the zxcvbn algorithm for password strength estimation. Zxcvbn is a realistic strength estimator that accounts for common patterns, dictionary words, and predictable substitutions rather than simple character rules.
Beyond the standard zxcvbn dictionary, admins can calibrate weak password detection for their organization by adding company-specific terms in Password Audit Policies — such as the company name, product names, or office location. These are often the first terms an attacker would try in a targeted attack and would not appear in standard dictionaries.
Risk implication: Weak and identical passwords are common precursors to credential-based attacks. Use the Password Audit Policies section to enforce password strength requirements and configure SSO domain detection to surface the full picture of reuse risk in your organization.
Compliance Gaps
Compliance Gaps tracks credentials that fail to meet your organization's defined password policies defined in Password Generation Rules.
Expired Passwords
Counts passwords that have passed their configured expiration date and have not yet been rotated. Organizations with a password rotation policy will accumulate expired passwords whenever users do not update credentials on schedule.
Rule Violating Passwords
Counts passwords that do not conform to the password rules defined in Password Generation Rules — for example, passwords that are too short, lack special characters, or fail other complexity requirements.
Compliance implication: Both metrics are directly relevant to regulatory and audit requirements. High counts in either category may indicate that your password policy is not being followed, not being enforced effectively, or may need to be reviewed and adjusted. These numbers should be tracked over time and used to demonstrate improvement to auditors.
Actionable Suggestions
Actionable Suggestions identifies accounts where users can upgrade to stronger authentication methods and where Enpass can facilitate that upgrade directly.
Passkey Supported Items
The number of stored accounts that support Passkeys. Passkeys are a phishing-resistant, passwordless authentication standard. Enpass acts as a native passkey provider where users can create, store, and sign in with passkeys directly from Enpass, the same way they manage passwords today. This makes Enpass a natural path toward passwordless authentication without introducing a separate tool.
Enpass maintains a local database of sites that support passkeys, kept up to date automatically. All checks happen locally — no browsing data or account information is sent to any server.
Policy dependency: Passkey creation and sign-in can be disabled organization-wide via Advanced App Policies.
2FA Supported Items
The number of stored accounts that support Two-Factor Authentication (2FA) via TOTP (Time-Based One-Time Password). Enpass includes a built-in authenticator (similar to Google Authenticator) that can generate TOTP codes and store them alongside the corresponding login item. Enabling 2FA on these accounts adds a critical second layer of defense even if the password itself is compromised.
Enpass maintains a local database of sites that support TOTP-based 2FA, updated automatically in a privacy-preserving manner.
Policy dependency: By default, Enpass suggests setting up authenticator codes when a user views an item for a TOTP-supported service. This can be suppressed via Password Audit Policies.
Risk implication: These metrics represent the fastest wins available for improving security posture. Prioritizing passkey and 2FA adoption for high-value accounts reduces reliance on passwords entirely for those logins.
Vaults
The Vaults section provides a per-user and per-vault breakdown of credential health, enabling administrators to identify exactly which users and vaults are contributing to organizational risk.
See Identifying At-Risk Users and Vaults for a full walkthrough of the Vaults table, filters, and drill-down capabilities.