How does strong password enforcement work?
When using Push’s Strong password enforcement control, you can prompt end-users to change an insecure password.
When an employee’s browser is enrolled in Push, the Push browser extension checks the security of their password by analyzing a salted partial hash of the password. If the password enforcement control is enabled and an employee has a stolen, leaked, reused, or weak password, Push will display an in-browser banner instructing them to change their password.

How it works
When the Push browser extension observes a login, it creates a secure fingerprint of the user’s password to analyze. If the password is insecure, Push raises a security finding for that employee, account, and app in the Push admin console. Learn more about the fingerprinting process in this related help article.
When the Secure password enforcement control is enabled, Push will display a banner to employees who have password issues immediately after Push observes their login. The message and button text are customizable by a Push administrator.
If an app supplies a distinct password update page, the banner button will take the user directly there to change their password.
If the employee closes the banner without resolving the password issue, they’ll see it again the next time they log in to the app.
Push will also emit a webhook event when a user is shown a banner or clicks the password change button. Events are also emitted when a password is changed and when the password security finding is resolved.
Configuration options
You can configure the password enforcement control for all observed password security issues, or just specific types of issues (e.g. stolen credentials, but not reused passwords).
You can also opt to enable this control on all apps in your environment, or just specific apps.
Use the configuration rules to set the Scope.

Enforcement precedence
If you’re also using the MFA enforcement control, Push will give precedence to the password enforcement control in a situation where both apply.
In other words, if an employee is not registered for MFA and also has a password issue, Push will display the password enforcement banner only. Once the password issue is resolved, Push will display the MFA enforcement banner next.
Markdown for styling custom message
The custom message field supports link and email syntax using markdown, but no other formatting.
Example markdown:
[Push Security](https://pushsecurity.com)
[Steph](mailto:steph@ctrlaltsecure.com)