New Ebook // 2024: A Year of Identity Attacks

Ready to help

How does strong password enforcement work?

When using Push’s Strong password enforcement control, you can prompt end-users to change an insecure password.

When an employee’s browser is enrolled in Push, the Push browser extension checks the security of their password by analyzing a salted partial hash of the password. If the password enforcement control is enabled and an employee has a stolen, leaked, reused, or weak password, Push will display an in-browser banner instructing them to change their password.

Password enforcement banner - KB 10129

How it works

When the Push browser extension observes a login, it creates a secure fingerprint of the user’s password to analyze. If the password is insecure, Push raises a security finding for that employee, account, and app in the Push admin console. Learn more about the fingerprinting process in this related help article.

When the Secure password enforcement control is enabled, Push will display a banner to employees who have password issues immediately after Push observes their login. The message and button text are customizable by a Push administrator.

If an app supplies a distinct password update page, the banner button will take the user directly there to change their password.

If the employee closes the banner without resolving the password issue, they’ll see it again the next time they log in to the app.

Push will also emit a webhook event when a user is shown a banner or clicks the password change button. Events are also emitted when a password is changed and when the password security finding is resolved.

Configuration options

You can configure the password enforcement control for all observed password security issues, or just specific types of issues (e.g. stolen credentials, but not reused passwords).

You can also opt to enable this control on all apps in your environment, or just specific apps.

Use the configuration rules to set the Scope.

Configuration rule - password enforcement - KB 10129

Enforcement precedence

If you’re also using the MFA enforcement control, Push will give precedence to the password enforcement control in a situation where both apply.

In other words, if an employee is not registered for MFA and also has a password issue, Push will display the password enforcement banner only. Once the password issue is resolved, Push will display the MFA enforcement banner next.

Markdown for styling custom message

The custom message field supports link and email syntax using markdown, but no other formatting.

Example markdown:

[Push Security](https://pushsecurity.com)
[Steph](mailto:steph@ctrlaltsecure.com)