Phishing 2.0 - Detecting AitM and BitM Toolkits // Watch Now

Ready to help

How does Push determine if a password is leaked or weak?

Push uses a browser extension to identify when an employee is using a leaked or weak password to log into cloud apps.

Leaked passwords have been exposed in a data breach. Weak passwords are easily guessable, based on a list of common base words.

If Push has identified a weak or leaked password, you’ll see a finding type of Weak password or Leaked password when viewing the employee’s details in the Push admin console. These findings also appear on the Accounts page for individual app accounts.

Employee slideout with security findings - KB 10066
When an employee's accounts have security findings, you'll see the findings listed on a slideout in the Push admin console.

How Push identifies weak passwords

To determine if a password is weak, the Push browser extension checks the password against:

  • A list of top 10,000 weak base passwords

  • Number and special character variations on these weak base passwords, for example: Password1!, January2022

  • Variations on these weak base passwords that replace letters with numerals (1337), for example: P455w0rd.

This type of password security check occurs automatically as the browser extension observes logins for your monitored domains. Learn more about how the extension works in this help article.

You can find the list of top 10,000 weak base passwords used in the Push browser extension on Github.

How Push identifies leaked passwords

To determine if a password has been exposed in a data breach, the Push browser extension queries the Have I Been Pwnd (HIBP) API. If you do not wish to check for compromised passwords, you can disable this feature in the Push admin console by going to Settings > Browser extension > Check for compromised passwords.

HIBP configuration screen - KB 10066

To preserve employee privacy and security, Push creates a hash of the passwords it collects via the browser extension and then sends the first 5 characters of the password hash to the Have I Been Pwned passwords API. The API returns all compromised password hashes that begin with those 5 characters, and then Push checks for matches. This ensures HIBP never sees the full hash that is being checked. Learn more about the process in this article.

Separately, Push also checks whether the employee username is present in the breached data using the HIBP breaches API. The password check and the username check occur separately, so Push does not know which specific account with which specific password has been compromised — only that there is a high likelihood that the employee account has been or will be compromised because both the username and the password appear in the set of breached data.

If the Push browser extension observes the use of a compromised password for an account that has known breaches, we flag it for remediation in the admin console.

Related articles