Password Intelligence

We protect several million accounts and some of the world’s largest corporations. Since adopting EPAS, none of these accounts have been reported as compromised because of insecure passwords.

Check out the EPAS website at www.epas.de or continue reading to find out more.

WHY EPAS

Can We Make Passwords Secure?

It is an established fact that insecure, reused, and compromised passwords are one of the leading causes of security breaches.

When we consider the future of password security, we are often told that the only way to secure passwords is to either replace them with alternative technologies or at least supplement them with additional factors.Without dismissing the benefits of modern authentication technologies, we aim to challenge this popular statement and examine the practical reasons that led to it.

A password alone is not inherently an insecure method of authentication. Like any other IT component, it requires testing and quality assurance to ensure it is secure.
The issue with passwords has been, until now, the lack of testing solutions, specifically to simulate the actions of an attacker attempting to crack them.
This was not due to a lack of password-cracking tools, but because revealing the plaintext password results in a privacy breach.

Yes. We Can

EPAS offers a unique approach by identifying and preventing insecure, reused, and compromised passwords without breaching users’ privacy.
This enables organizations to effectively eliminate all password-related vulnerabilities while continuing to use a proven, well-known, and well-supported authentication method.

EPAS is patented technology used on thousands of servers and identity management systems by several million enterprise users, in over 30 countries. Since using EPAS, none of these accounts have been reported as compromised because of insecure passwords.

Implementing EPAS

Using extra security measures like MFA and risk-based authentication is still recommended to increase security. However, this can often be challenging, especially for legacy and OT systems or when the necessary technology changes lead to very high costs.
The implementation can also take a long time, leaving accounts open to password-related attacks.
Even when MFA is used, the password is usually one of the factors and must be properly secured.

EPAS provides immediate protection, for all passwords, whether used as the only factor or part of MFA. The EPAS appliance is set up within 24 hours, even in complex environments, and provides instant results, without installing any software on protected systems.

 

EPAS Features

SCAN FOR INSECURE Passwords

EPAS Audit represents the first solution to successfully address the challenge of conducting privacy-compliant password security assessments while simulating authentic attacks.

By executing the attack and evaluation within a sealed, secure environment, without storing or revealing the cleartext password, EPAS maintains full compliance with legal and privacy regulations.

Patents: USPTO 9,292,681 B2, EP 2767922 B1
 

PREVENT INSECURE Passwords

EPAS Enforcer offers an essential toolset to leverage the results and metrics produced by EPAS Audit, ensuring that insecure passwords are used again by blocking them during password changes.

Enforcer is an optional add-on to EPAS Audit, and it supports several identity management systems, as well as Microsoft Active Directory, Windows O/S, MS Azure, UNIX systems, database engines, and custom applications.

Vast Password Intelligence Sources

Compromised credentials represent the most frequently exploited attack vector in password-related breaches. EPAS offers one of the largest and best curated password intelligence databases available today, utilized to both identify and prevent the use of compromised credentials.

This data is gathered from human-led Threat Intelligence covering underground forums and the dark web, malware logs shared among malicious actors, and publicly available password breaches, such as Have I Been Pwned.

Unlike other solutions, the dataset is available in plaintext, allowing EPAS to provide several unique features: the ability to determine if current passwords have been compromised across all supported systems—not limited to Active Directory—and the capacity to detect and block the use of passwords that are not only exact matches but also those that are slightly altered versions of compromised passwords. The data is refreshed on a regular basis.
 

Artificial Intelligence Enabled

Advanced criminals and state actors are increasingly using artificial intelligence to perform password attacks. EPAS employs AI to detect passwords vulnerable to such attacks.

By using LLMs like GPT for machine learning to generate predictive word lists, combined with classic methods such as derivation rules, an improvement of 10% to 18% in the recovery rate can be observed.

EPAS employs machine learning acceleration with NVIDIA CUDA hardware.

Governance, Risk, and Compliance Support

Whether for enhancing security, remediation, or meeting regulatory standards, EPAS reports offer complete visibility into vulnerable credentials.

These reports are frequently employed in internal audits and serve as evidence of compliance with strong authentication requirements in GRC.

Some of the compliance standards and regulatory frameworks supported by EPAS are ISO 27001 / ISO 27002 password and cryptographic controls, NIST password guidelines as published in NIST Special Publication (SP) 800-63B, European Network and Information Systems Directive 2 (NIS2) and Digital Operational Resilience Act (DORA), Australian Security of Critical Infrastructure Act (SOCI) and German BSI IT-Grundschutz, etc.
 

Highly Scalable

EPAS is routinely deployed across multiple data centers, and across multiple countries.

A central instance can serve dozens of data centers, thousands of servers, and millions of accounts. Multiple EPAS systems can be deployed to ensure high availability and failover.

Cloud Enabled

EPAS is an on-premises or private cloud appliance solution. It can be deployed in single data centers to accommodate smaller enterprises or can be scaled up as required, extending across multiple data centers or locations, serving single or multiple tenants from a centralized location.
 

Security by Design

EPAS handles sensitive information, including user credentials and hashed password data. To guarantee the security of this data against external attacks as well as malicious internal use (e.g., modifying the system to display recovered passwords), the EPAS platform employs full encryption, TCG (Trusted Computing Group) technology sealing, independent and internal security testing, and follows a secure development process within a certified environment.

 

EPAS Specifications

Core Capabilities

  • Detects weak, predictable, compromised, and reused passwords

  • Simulates all known types of attacks, from brute-force to leaks and AI

  • Does not expose or store the plaintext of recovered passwords

  • Is applicable to both existing, encrypted passwords, and to new ones

  • Prevents setting insecure passwords based on assessment metrics

  • Supports all enterprise systems, from mainframes to Active Directory

  • Protects both on-premises and cloud-based systems

  • Bundles one of world’s largest database of compromised credentials

  • Leverages latest generation of GPU-based hardware acceleration

  • Employs AI to identify passwords vulnerable to LLM-based attacks

  

Enterprise Integration

  • Delivers enterprise grade reporting, metrics, and KPIs

  • Unlimited scalability across datacenters, countries, and cloud

  • Provides full automation and scheduling without human intervention

  • Provides APIs to integrate with SOC environments and 3rd party tooling

  • Integration with MS Entra ID, IBM RACF, CyberArk, OneIdentity IM, Micro Focus NetIQ

  • Readily available for MSP / MSSP use cases, with multi-tenant capability

  • Historical password quality analysis across custom account selection

  • Regional support centers in USA, Germany, Singapore, Australia

  • Custom reporting by splitting and merging target specific reports

  • Mature, trusted technology used by some of world’s largest corporations
 

Use Cases & Benefits

  • Eliminate password-related security risks

  • Meet regulatory requirements for authentication and privacy

  • Optimize costs associated with identity management and authentication

  • Improve user experience when changing passwords

  • Coverage for legacy systems which do not support MFA

  • Compensatory controls for MFA or related regulatory requirements

  

Security Features

  • Standalone hardware or virtual appliance, fully encrypted at all times

  • Uses Trusted Computing with TPM for tamper prevention

  • Fully isolated, with no external or Internet connection

  • Production-safe, uses only legitimate vendors APIs for extraction

  • Agent-less, does not install any software on audited systems

  • ISO27001 Certified development environment

  • Undergoes regular independent security assessments

  • The EPAS Enforcer plug-in is verified, certified, and digitally signed by Microsoft
 

EPAS Audit Supported Systems

  • Microsoft Active Directory Accounts

  • Microsoft Windows Local Accounts

  • IBM System z – zSeries – RACF z/OS, z/VM

  • IBM System i – iSeries – AS/400

  • IBM System p – pSeries – RS/6000

  • AIX IBM Lotus Domino Application Server

  • SAP NetWeaver – ABAP AS

  • BSD Operating System

  • Linux Operating System

  • Sun Solaris – SunOS

  • Apache Basic – htpasswd

  • LDAP Authentication Server

  • Apple macOS – Mac OS X

  • Cisco ISE – ASA – IOS – NX-OS

  • MongoDB System Accounts

  • MSSQL System Accounts

  

 

  • MySQL System Accounts

  • Oracle System Accounts

  • PostgreSQL System Accounts

  • Sybase ASE System Accounts

  • Bitwarden Password Vault

  • KeePass Password Vault

  • DB2 Database Custom Application

  • Informix Database Custom Application

  • MaxDB Database Custom Application

  • MSSQL Custom Database Application

  • MySQL Database Custom Application

  • Oracle Database Custom Application

  • PostgreSQL Custom Database Application

  • Sybase ASA Database Custom Application

  • Sybase ASE Database Custom Application
 

EPAS Enforcer Supported Systems

  • Microsoft Active Directory

  • Linux Accounts / PAM

  • Microsoft Windows Accounts

  • Microsoft Azure AD / Hybrid

  • Microsoft SQL Server

  • OneIdentity Identity Manager

  • Micro Focus NetIQ SSPR

  • Web-Based Password Management

  • Custom Applications

  

Hardware & Virtualization

  • Server hardware: Intel Xeon architecture, custom OEM configuration

  • GPU acceleration: Current release is based on NVIDIA GeForce RTX 40 series

  • Redundancy: High availability and failover configurations available for all use cases

  • Encryption: FDE with HSM for operational data storage, TCG 2.0, discrete TPM module

  • Rack mounting: All models are built for standard full depth 19″ rack enclosures

  • Virtual appliance options: VMware vSphere, Microsoft Azure, Amazon AWS

DOWNLOAD

Selected EPAS Reference Customers

 

AXAAXA XLEvonikEmirates Global AluminiumBoursoramaEquitableHUK CoburgLBBW Asset ManagementUnicreditPiraeus Bank