School performs periodic password audits. Is my password compromised?

Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.


As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.

Actually, there is: cracking.

There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.

To quote this article about John the Ripper:

How you decide to use John is up to you. You may choose to run it on all the password hashes on your system regularly to get an idea of what proportion of your users' passwords are insecure. You could then consider how you could change your password policies to reduce that proportion (perhaps by increasing the minimum length.) You may prefer to contact users with weak passwords and ask them to change them. Or you may decide that the problem warrants some sort of user education program to help them select more secure passwords that they can remember without having to write them down.


Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.

You give them your password as plaintext every time that you log on.

If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.

They can also check the password strength when you're logging in if they are using a single-sign-on service.

However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.

And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.

And while you're talking to the university's IT department, ask them about 2-factor authentication.