How does Push evaluate passwords containing words restricted by an administrator?
Push administrators can configure custom words that employees are discouraged from using in their passwords for SaaS apps. This feature allows admins to flag the use of commonly used terms, such as the company name, which are easily guessable.
When Push checks for custom terms, the goal is to catch weak passwords that contain the word or words. However, simply containing the term isn’t enough to flag the password; it has to be a legitimately weak password, too. This approach allows for employees to use multi-word passphrases or longer unique passwords, which are stronger than shorter passwords even if they contain a restricted term.
How it works
At the time of login, the Push browser extension looks at three criteria and compares them to both the custom term list and a list of the top 10,000 easily guessable base passwords in order to assess:
Are there words included from the custom term list?
With numbers and special characters removed, is the base word easily guessable?
Are variations on the base word that replace letters with numerals (1337) easily guessable?
If the term push security is on the custom terms list, then the password hygiene check would flag the following passwords as weak:
pushsecurity (base word consists of a custom term)
pushsecurity2022 (with numbers removed, the base word consists of a custom term)
PushSecur1ty! (with numbers and special characters removed or with numbers converted to letters, the base word consists of a custom term)
Push Security 123& (with numbers and special characters removed, the base word consists of a custom term)
Weak password checks are not case-sensitive and ignore the presence or absence of spaces in custom terms. In addition, Push doesn’t flag passwords if they contain only individual words from a multi-word phrase you have restricted.
These passwords would pass the check and would not be flagged:
push security is awesome wow (longer passphrase cannot be reduced to a weak base word despite containing custom terms)
xsZwiBpushsecurityNH8oBx (longer password cannot be reduced to a weak base word despite containing custom terms)
pushsecuritys (does not match the provided custom term)
fantasticsecurityoo7 (only matches a single term from the provided multi-word custom term)