Passwords: Analytics, Compliance, Enforcement

EPAS for Compliance

How to achieve NIST compliance with EPAS

The National Institute of Standards and Technology (NIST) is one of the authorities which sets the best practices on how to secure identities and authentication of users. The updated version of NIST Special Publication 800-63 “Digital Identity Guidelines” was released in 2019. Various companies and organizations use NIST guidelines to establish their security practices, while US federal agencies are required to comply with NIST 800-63.

These guidelines follow the Digital Identity Guidelines defined in the NIST Special Publication 800-63B. The following requirements notation and conventions are part of the aforementioned document. Whenever EPAS (Enterprise Password Analytics Solution) provides a feature that helps implement the given NIST recommendation, the feature is mentioned, together with the recommendation it covers, as well as a short explanation. A table summarizing the NIST recommendations covered is provided at the end. This document is intended as guidance for companies and organizations aiming to achieve compliance with NIST recommendations with the help of EPAS.



ISO/IEC 27001 Compliance Assisted by EPAS

ISO 27001 (officially known as ISO/IEC 27001:2013) is an international information security standard. This standard is used in an organization to implement, maintain, and to improve an information security management system (ISMS). Policies and procedures, including the legal, technical and physical controls involved in a company’s IT risk management processes, are part of the ISMS.


Implementing ISO 27001 supports organizations in blocking security risks, protecting sensitive data, and identifying the scope and bounds of their security programs. EPAS (Enterprise Password Analytics Solution) strongly assists organizations into managing specific requirements. Following, EPAS is mapped according to related ISO/IEC 27001:2013 control objectives and controls retrieved from Annex A.



PCI DSS Compliance Assisted by EPAS

The Payment Card Industry (PCI) initiated the first Data Security Standard (DSS) in 2004. Various revisions and updates have been done to the requirements since then. The PCI DSS contains twelve requirements for compliance, clustered by six logically connected controlled objectives.


The requirements that EPAS (Enterprise Password Analytics Solution) helps satisfying are marked with a red background.

PCI DSS provides the bare minimum requirements for protection against breaches which have occurred in the past. Therefore, it has a significant importance on the payment card ecosystem. EPAS assists organizations preventing breaches based on several PCI DSS requirements, and especially one of the essential security rules of the standard concerning vendor default passwords and weak or shared passwords. Following, EPAS features are mapped according to related PCI DSS requirements.



Achieve compliance with "BSI IT-Grundschutz ORP 4"

The German Federal Office for Information Security ("BSI") has favored regular password change in its "Guide to basic protection based on IT-Grundschutz" until 2020. This aspect is no longer available in the new edition, published in February 2020. In this edition BSI wrote that a password must be changed at latest in the event of suspected misuse in accordance with BSI guidelines. Alternative and secure passwords should be used for different logins and these must be changed if there is a suspicion of compromise of the corresponding account or password.

This document contains how EPAS (Audit and Enforcer) supports an organization to be in compliance with the new "Basic Protection ORP 4: Identity and Access Management" from the point of view of password security. The supporting functions of EPAS are also explained for the regulations concerned.



How to achieve IAR compliance with EPAS IN UAE

A strategic priority for the United Arab Emirates is managing cyber threats and assuring the implementation of a secure national communications and information infrastructure. Therefore, Telecommunications Regulatory Authority (TRA) implemented the UAE Information Assurance Regulation v1.1 (IAR, March 2020) as a crucial component of the National Information Assurance Framework (NIAF) to specify prerequisites for enhancing the level of IA over all implementing organizations in the UAE. The UAE IA Standards grants technical and management data security controls to provide, develop, manage, and regularly update information assurance.

TRA IA Regulation provides in-depth requirements for protection against cyber attacks, as well as indications of how to secure and maintain an IT infrastructure. The TRA IAR draws security relevant controls from existing standards (ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27010, ISO/IEC 27032, NIST 800-53 R4, ADSICv1, ADSICv2, etc.) while enhancing subcontrols and providing in-depth information about example implementations.

EPAS (Enterprise Password Analytics Solution) assists organizations preventing breaches based on several TRA IAR recommendations, as detailed in the following pages. Following, the integrated relationships and interactions among individual sector entities implementing the TRA IAR are presented.



Enriching User Authentication

EPAS (Enterprise Password Analytics System) provides an enhanced ADP (Authentication Decision Point), delivered via dedicated infrastructure, along with user authentication using curated credentials. It also provides the necessary tools for securing existing credentials: audit, remediation, and compliance. Deployable within three to five days, it requires little resources to operate, and provides instant detection and remediation tools against all attacks exploiting weak, leaked, or shared passwords.

EPAS (Enterprise Password Analytics System) supports the use of Conditional Authentication (MFA) and reliable Single Factor Authentication and it provides the necessary balance among Trust, TCO (Total Cost Ownership) and UX/CX (User Experience/ Customer Experience) in each use case:


In a very safe environment compliant with the user’s privacy rights, EPAS will not allow a user to choose a password correlated to one that has been used before. The password leakages available on the web are also used, the most recent breaches being included in EPAS dictionaries and preventing users to use passwords whose hashes are known to attackers. This data is kept updated and provides EPAS intelligence about current trend of password usage, helping the user avoid choosing a password that may look safe but is predictable and subsequently vulnerable to attacks.


By using EPAS, no other complex installations are required to be performed, since it comes packaged as a hardware and software solution (appliance). The hardware provided is equipped with the latest technology in terms of computational power and employs state of the art methods for safeguarding the users’ privacy: EPAS can analyze millions of passwords within an environment in a feasible amount of time; all temporary data is stored on a hard drive encrypted with a TPM-backed (Trusted Platform Module) key, sealed to the unit. Software and hardware upgrades are provided at no additional cost. Clear text, personally identifiable recovered passwords are never displayed or stored on the appliance. EPAS is always one step ahead of the technology available to hackers or sponsored attackers.


By implementing the EPAS Enforcer, users will be more aware about the weaknesses inside their password. Giving a detailed reason for their password rejection, they can be more aware in using stronger and more reliable passwords, without impacting the UX, while at the same time lowering the workload of support centres.

The full paper on user authentication with EPAS can be downloaded as a PDF document (English language) here:



EPAS (Enterprise Password Analytics System) is a patented (USPTO 9,292,681 B2, EP2767922) solution developed by Detack GmbH and its Swiss partner Praetors AG. It is a solution for enterprise wide, automatic and regular password quality assessment and enforcement for a wide range of systems. EPAS addresses the overwhelming issue of maintaining secure passwords in large, heterogeneous environments containing Microsoft A/D, Linux/UNIX, IBM System z, SAP and more.

EPAS (Enterprise Password Analytics System) uses a self-developed, patented technology in order to extract all relevant password data from a target system and to use this information as well as bundled intelligence data and analytics algorithms to assess the resilience of passwords against attacks. EPAS employs only legitimate cipher text extraction methods and therefore does not cause any system availability risk for the target.

EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Linux/UNIX, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying workers councils´ requirements. EPAS is an on-premises SaaS solution and delivered through appliances which are integrated into the client´s data center.

A more in-depth presentation of the EPAS Audit solution can be downloaded as a PDF document here:



The EPAS (Enterprise Password Analytics System) Enforcer licensed feature systematically prevents the use of weak, reused or shared passwords whenever the password is changed. EPAS Enforcer for A/D integrates as an LSA filter on the Windows Active Directory domain controllers and ensures that passwords meet defined security requirements when set or changed, in line with a centralized policy mandated by the risk category of the information they protect. The new password is tested against the EPAS evaluation criteria and is accepted or rejected, depending on the defined security requirements. This means that formerly permitted passwords like “Password123” or “Secret!” are not accepted any longer by the computer.

If the password change attempt is unsuccessful, an optional feature of the EPAS Enforcer displays the failure reasons (e.g. “Password must not be included in a dictionary.”) to the end user. The security requirements for a password result from the security classification of the data to be protected, based on customer specific measurements.

A more in-depth presentation of the EPAS Enforcer solution can be downloaded as a PDF document here:


Selected EPAS Reference Customers


AXAAXA XLEvonikEmirates Global AluminiumBoursoramaEquitableHUK CoburgLBBW Asset ManagementUnicreditPiraeus Bank