/
How does Push determine if a password is leaked or weak?
Push uses a browser extension to identify when an employee is using a leaked or weak password to log into cloud apps.
Leaked passwords have been exposed in a data breach. Weak passwords are easily guessable, based on a list of common base words.
If Push has identified a weak or leaked password, you’ll see a finding type of Weak password or Leaked password when viewing the employee’s details in the Push admin console. These findings also appear on the Accounts page for individual app accounts.
How Push identifies weak passwords
To determine if a password is weak, the Push browser extension checks the password against:
A list of top 10,000 weak base passwords
Number and special character variations on these weak base passwords, for example: Password1!, January2022
Variations on these weak base passwords that replace letters with numerals (1337), for example: P455w0rd.
This type of password security check occurs automatically as the browser extension observes logins for your monitored domains. Learn more about how the extension works in this help article.
You can find the list of top 10,000 weak base passwords used in the Push browser extension on Github.
How Push identifies leaked passwords
To determine if a password has been exposed in a data breach, the Push browser extension queries the Have I Been Pwnd (HIBP) API. If you do not wish to check for leaked passwords, you can disable this feature in the Push admin console by going to Settings > Password checks > Check for leaked passwords.
To preserve employee privacy and security, Push creates a hash of the passwords it collects via the browser extension and then sends the first 5 characters of the password hash to the Have I Been Pwned passwords API. The API returns all leaked password hashes that begin with those 5 characters, and then Push checks for matches. This ensures HIBP never sees the full hash that is being checked. Learn more about the process in this article.
If the Push browser extension observes the use of a leaked password for an account that has known breaches, we flag it for remediation in the admin console. This essentially means that the account is using a password that has previously been exposed in a data breach, but not necessarily for that email address.
Push also provides a stolen credential detection feature to raise the most high-fidelity signal of a compromised password for a given account. This feature flags where threat intelligence feeds have discovered a stolen password for sale on criminal marketplaces with an associated email address, and this combination is actively being used by an employee.