Passwords: Analytics, Compliance, Enforcement

Enriching User Authentication

EPAS provides an enhanced ADP (Authentication Decision Point), delivered via dedicated infrastructure, along with user authentication using curated credentials. It also provides the necessary tools for securing existing credentials: audit, remediation, and compliance. Deployable within three to five days, it requires little resources to operate, and provides instant detection and remediation tools against all attacks exploiting weak, leaked, or shared passwords.

EPAS supports the use of Conditional Authentication (MFA) and reliable Single Factor Authentication and it provides the necessary balance among Trust, TCO (Total Cost Ownership) and UX/CX (User Experience/ Customer Experience) in each use case:


In a very safe environment compliant with the user’s privacy rights, EPAS will not allow a user to choose a password correlated to one that has been used before. The password leakages available on the web are also used, the most recent breaches being included in EPAS dictionaries and preventing users to use passwords whose hashes are known to hackers in the world. This is kept updated and also gives EPAS knowledge about current trend of password usage, avoiding the user to select a password that may look safe but is predictable and subsequently vulnerable to attacks.


By using EPAS, no other complex installations are required to be performed, since it comes packed as a hardware and software solution (appliance). The hardware provided is equipped with all the recent technology in terms of computational power and employes state of the art methods for safeguarding the users’ privacy: EPAS is able to analyse millions of passwords within an environment in a feasible amount of time; all the passwords recovered are stored inside the hard drive encrypted with a TPM (Trusted Platform Module) key inside the bundle. Software and hardware upgrades are provided at no additional cost. EPAS is always one step ahead of the technology available to hackers or sponsored attackers.


By implementing the EPAS Enforcer, users will be more aware about the weaknesses inside their password. Giving an exhaustive reason for which their passwords are being rejected, they can become more aware in using more strong and reliable passwords without impacting the UX, while at the same time lowering the workload of support centres.

The full paper on user authentication with EPAS can be downloaded as a PDF document (English language) here:



EPAS is a patented (USPTO 9,292,681 B2, EP2767922) solution developed by Detack GmbH and its Swiss partner Praetors AG. It is an on-premises SaaS solution for enterprise wide, automatic and regular password quality assessment and enforcement for a wide range of systems. EPAS addresses the overwhelming issue of maintaining secure passwords in large, heterogeneous environments containing Microsoft A/D, Linux/UNIX, IBM System z, SAP and more.

EPAS uses a self-developed, patented technology in order to extract all relevant password data from a target system and to use this information as well as bundled intelligence data and analytics algorithms to assess the resilience of passwords against attacks. EPAS employs only legitimate cipher text extraction methods and therefore does not cause any system availability risk for the target.

EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Linux/UNIX, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying workers councils´ requirements. EPAS is an on-premises SaaS solution and delivered through appliances which are integrated into the client´s data center.

A more in-depth presentation of the EPAS Audit solution can be downloaded as a PDF document here:



The EPAS Enforcer licensed feature systematically prevents the use of weak, reused or shared passwords whenever the password is changed. EPAS Enforcer for A/D integrates as an LSA filter on the Windows Active Directory domain controllers and ensures that passwords meet defined security requirements when set or changed, in line with a centralized policy mandated by the risk category of the information they protect. The new password is tested against the EPAS evaluation criteria and is accepted or rejected, depending on the defined security requirements. This means that formerly permitted passwords like “Password123” or “Secret!” are not accepted any longer by the computer.

If the password change attempt is unsuccessful, an optional feature of the EPAS Enforcer displays the failure reasons (e.g. “Password must not be included in a dictionary.”) to the end user. The security requirements for a password result from the security classification of the data to be protected, based on customer specific measurements.

A more in-depth presentation of the EPAS Enforcer solution can be downloaded as a PDF document here:


Selected EPAS Reference Customers


AXABoursoramaEmirates Global AluminiumLBBW Asset ManagementHUK CoburgUnicredit