NIST recently recommended organizations check users’ credentials against a set of compromised passwords in order to prevent account takeover (ATO).
However, gathering a set of compromised passwords comes with challenges. First, purchasing stolen credentials may indirectly support the criminal ecosystem. Second, password lists that are publicly available tend to be incomplete and stale.
Is there a better way to follow NIST’s guidelines and protect users from account takeover (ATO)?