🔐 Password Exposure API — Overview

Recommended for enterprises that are restricted from sending hashed identifiers over the network.

💡 Why Use It

If a password has ever appeared in the SpyCloud database, it’s already in the hands of cybercriminals and may be used in password spraying attacks.

Blocking your consumers from choosing a password that has been exposed dozens, hundreds, thousands, or even millions of times strengthens their account security and helps to protect them from account takeover.

✅ What It Can Do

• Checks passwords as they are created (point-in-time check) when consumers set up an account, change their password, or have their password reset.
• Checks each new password against SpyCloud’s entire database (billions of passwords recovered from criminal communities).
• Identifies how many times a password has ever appeared in the SpyCloud database, allowing you to tailor your threshold for rejecting a password and avoid friction
• Uses k-anonymity, meaning only the first 5 characters of a password hash are sent over the network.
• Supports alignment with NIST password standards.
• Does not check passwords that are already in use for new breach exposures

❗

Important: The Password Exposure API checks passwords at one point in time: creation. If a user’s credentials appear in a breach later on in the account lifecycle, the Password Exposure API won’t check them.

⚙️ How It Works

To securely check password-only matches against the entire SpyCloud database, the Password Exposure API uses an approach called k-anonymity. Only the first 5 characters of each password hash are sent over the network – never the user’s plaintext password.

🧭 When to Use It

Customers typically query the Password Exposure API whenever a customer creates a new password, which includes account creation, password resets, and password changes. See the “Implementation” section for more detailed information.