Securing your Company Data
EPAS is powerful - audits more than 200.000 accounts in companies in 25 countries on a regular basis.
EPAS mitigates risk – supports risk management by closing the password security gap.
EPAS is unique - the only solution worldwide to provide true enterprise password quality assessment.
EPAS Key Features

Universal Password Assessment

EPAS analyses the objective strength of passwords in selected target systems. Weak passwords are vulnerable to malicious cyber attacks. EPAS is able to assess unsalted, statically salted, as well as dynamically salted passwords. It is customized for system specific encryption and evaluates personal, as well as technical and system accounts.

Detailed and Legally Compliant Reporting

EPAS generates audit reports for each audit job. An executive summary provides full text and graphical data to visualize and explain the passwords’ overall quality. Included are recovery reasons, structure, compliance status and various other statistical data. Passwords are never displayed in clear text.

Built on 15 years IT-Security Experience

EPAS was developed based on more than 15 years of IT-security auditing. The extensive experience of manual penetration tests sustainably shows that, without resilient passwords, all security measures are bound to fail. EPAS is unique and the only solution to offer a legally compliant view of your enterprise password landscape.

What our customers say

EPAS has helped us to increase our password security tremendously – a security problem we knew about and had to solve, but before had no means to truly control or monitor.

Having EPAS in place, we can always count on running the best software for password security. In addition we get to tap into the wealth of IT-Security knowledge and experience at Detack.


Designed for Enterprises

EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying workers councils´ requirements.

Customizable Password Assessment

EPAS audits the recovered passwords against two criteria: a customized password policy and an objective, entropy-based set of rule. EPAS can simulate various attack methods used by cyber criminals, such as dictionary or brute force attacks. Dictionaries are customizable regarding language and customer specific vocabulary or terms.

Password Re-Use Report

Recovered passwords are checked for multiple use. A password can either be used several times by the same user on different systems or one password can be used by several users. Both situations pose a high security risk and are subject to immediate risk mitigation measurements.

Technical and System Accounts

In addition to “heartbeat” users, all technical and system accounts are assessed and evaluated by EPAS. These accounts authenticate by using either very simple passwords, default vendor passwords, or no password at all. Yet these accounts usually have the highest privileges and are sometimes even exempt from a password policy. The authentication of technical and system accounts to other systems is one of the largest IT security risks.

Notification by E-Mail

Automatic notification is used to prompt users to change their passwords if these are too weak or do otherwise not comply with defined audit parameters. The same feature automatically notifies the service administrator of a completed password audit job and the availability of a report.

Audit Jobs & Job Queuing

An intelligent job and queuing system permits programmable, regular password auditing with no job collisions. EPAS is highly scalable. It can process simultaneous parallel tasks and can audit millions of accounts on different systems over a single weekend.

Trusted Computing and Encryption

All data EPAS processes is permanently encrypted. Trusted Computing is used to seal the platform, an additional TPM chip secures software and data integrity by employing cryptographic methods. EPAS applies various hardware and software monitoring elements to detect physical or software intrusion attempts. Security failsafe mechanisms log events and shut down in case of intrusion attempts.

EPAS Supported Systems

EPAS can audit several types of systems, ranging from Microsoft products to IBM products (iSeries, zSeries, Domino) and other systems such as UNIX based systems, LDAP directories and the main database backends. The following system types are supported for account profile and password hash extraction:

Supported standard
target systems

Microsoft Active Directory Accounts

Microsoft Windows Local Accounts

IBM System z – zSeries – S/390 RACF (z/OS, z/VM)

IBM System i – iSeries – AS/400

IBM System p – pSeries – RS/6000 AIX

IBM Lotus Domino Application Server

BSD Operating System

Linux Operating System

Sun Solaris – SunOS

Apache Basic – htpasswd

SAP NetWeaver – ABAP AS

LDAP Authentication Server

See all

Supported application
specific data storage

MSSQL System Accounts

MySQL System Accounts

Oracle System Accounts

PostgreSQL System Accounts

Sybase ASE System Accounts

DB2 Database Custom Application

Informix Database Custom Application

MaxDB Database Custom Application

MSSQL Custom Database Application

MySQL Database Custom Application

Oracle Database Custom Application

PostgreSQL Custom Database Application

Sybase ASA Database Custom Application

Sybase ASE Database Custom Application

See all

Besides standard target systems, EPAS also supports application specific password encryption with data stored in several database types.

EPAS employs only legitimate, vendor approved methods for retrieving the password data from audited systems. By using such methods, there is no risk to crash the target and there are no potentially malicious activities falsely detected or reported by antivirus or malware detection tools.

“When I talk to people, everybody tells me this [EPAS] is impossible, regardless of how hard you wish for such a solution – for legal, technical, organizational reasons. It takes some time for them to believe me that it really exists.”

Karl-Ulrich Martin

Founder and Managing Director of Detack


Launch of Enterprise Password Assessment Solution EPAS in North America

Ludwigsburg/Germany, February 25 - Detack GmbH will be part of this year´s RSA conference to introduce its unique Enterprise Password Assessment Solution EPAS to the North American market. As an independent supplier of high quality IT security audits and in-house developed IT security products, Detack will be present in San Francisco from February 29 – March 3 as part of the German pavilion, North Expo Booth N4020/03. Find out more

RSA Conference 2016

Celebrating its 25th anniversary this year, RSA Conference continues to drive the information security agenda worldwide. Detack will be exhibiting at booth 4020/3 at the German TeleTrust pavilion. February 29th – March 4th 2016 Find out more

Need more information?

An error occured please try again!

Thank you for contacting us!