SpyCloud Guides
spycloud.comGet a demo
Start typing to search…

CAP Password Exposure API

For E-commerce & Retail – with SpyCloud Consumer ATO Prevention.

SpyCloud provided the ability to further reduce account take over fraud related to registered users. Criminals are able to access a customer account and leverage stored payment information. This type of fraud often presents itself as credit card fraud or chargeback fraud.

⚠️ NOTE

Criminals can spend loyalty rewards resulting in customer relations issues as well as additional fraud losses required to replenish a customer's reward program.

🛡️ Enhanced account security & NIST alignment

By adding enhanced account security clients are able to adhere to NIST standards. With billions of assets circulating the criminal underground, and new data breaches and malware infections occurring daily, security teams are experiencing resource constraints and challenges around collecting data specific to their consumers, and then making it actionable to validate compromise at scale, while ensuring and maintaining account security.

**SpyCloud **helps improve operational efficiency and simplifies alignment with NIST password guidelines by enabling you to check your consumers’ passwords against the largest and most actionable database of stolen credentials in the world. By implementing SpyCloud Password Exposure API into existing workflows, you can easily detect and prevent weak, common, and compromised passwords from being used – dramatically reducing time and costs associated with monitoring and mitigating password-related risk

🔍 What it does

Using the Password Exposure API, you can screen your consumers’ passwords for weak, common, and compromised passwords by checking how many times (if ever) the password has appeared in the SpyCloud database, regardless of username.

To securely check password-only matches against the entire SpyCloud database, the **Password Exposure API **uses an approach called k-anonymity. Only the first 5 characters of each password hash are sent over the network – never the consumer’s plaintext password. This method offers the benefit of identifying matches without exposing exact passwords to SpyCloud and also ensures that if the traffic were intercepted, it would be useless to an attacker.

✅ Identify and avoid

  • “Passwords obtained from previous breach corpuses
  • “Dictionary words
  • “Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)

⚙️ How k-anonymity works

To securely check password-only matches against the entire SpyCloud database, the Password Exposure API uses an approach called k-anonymity. Only the first 5 characters of each password hash are sent over the network — never the consumer’s plaintext password.

🏆

This method offers the benefit of identifying matches without exposing exact passwords to SpyCloud and also ensures that if the traffic were intercepted, it would be useless to an attacker.

🧭 When & how resets are triggered

Once a consumer’s password has been identified as compromised (typically in an account creation, login, or password reset workflows or via a batch check), businesses typically automate notifying the affected consumer and initiating a password reset.

💡NOTE

Some companies opt to only force password resets after a specific number of appearances in the SpyCloud database; however, resetting all passwords with even a single exposure is still recommended as a best practice.

Updated 2 months ago