March 7, 2018


Credentials don’t start out on the dark web - they end there.


When usernames and passwords are compromised in a data breach, the consequences extend far beyond the victim organization due to rampant password reuse. For this reason, NIST recently recommended that organizations check users’ credentials against a set of known compromised passwords. However, by patroning dark web forums and paying for spilled credentials, enterprises indirectly support the criminal ecosystem. Furthermore, attackers often don’t publicly post stolen data until months or years after the breach, if at all. Is there a better way to follow NIST guidelines and protect users from account takeover?

Join Justin Richer, co-author of NIST Digital Identity Guidelines 800-63B, and Gautam Agarwal, Shape's Senior Director of Product Management, for a lively discussion on NIST’s password recommendations and how best to prevent account takeover fraud at your organization.


  • The Threat of Stolen Credentials
  • Reasoning Behind NIST’s Password Recommendations
  • Ways to Manage a Password “Breach Corpus”
  • How Blackfish Helps Organizations Follow NIST Guidelines



Justin Richer - Coauthor of NIST Digital Identity Guidelines

Justin Richer is a systems architect, software engineer, standards editor, and service designer with over fifteen years of industry experience. He wrote the pioneering Vectors of Trust and is a co-author of NIST Special Publication 800-63 version 3.


Gautam Agarwal - Sr. Director, Product Management

Gautam is responsible for leading new product strategies across Shape's product portfolio. Prior to Shape, Gautam has 12+ years of experience in various leadership roles across product and engineering specializing in multi-device cross-platform application development tools, SaaS and Business Intelligence.