How does the Push browser extension securely track reused passwords?
The Push browser extension is able to identify when passwords are being reused across different SaaS applications, allowing you to identify potential risks in your environment and then nudge employees to use unique, secure passwords via ChatOps.
The following is a technical explanation of how the Push extension does this, and the security measures it implements to protect passwords.
When the extension is first installed, a salt (UUIDv4) is generated and stored locally in extension storage.
Every time a user logs into a SaaS application, a SHA256 hash of the salt plus password is calculated, and the first 5 characters are stored. This is called a password fingerprint.
These salted partial hashes (fingerprints) are stored from the background script of the browser extension, along with the account email address and the SaaS application they belong to. This storage is only accessible from the Push extension itself.
When a login occurs, the Push extension sends which SaaS app was logged into and whether it’s sharing a password with another locally observed account, which is a boolean true/false. The password fingerprint is never sent anywhere and is only used for these local comparisons.
This design also means that reused passwords can’t be tracked across different browsers that the employee may use. This approach allows us to balance functionality and security.
In addition, any attempted exploitation of this functionality would require privileged access to the host running the extension, as well as the skill and stamina to successfully complete a brute-force attack by retrieving and then comparing only the first 5 characters of 64-character SHA256 hashes in a universe where trillions of collisions exist (e.g. multiple passwords equating to the same 5-character string). This type of attack would be much more difficult than alternative approaches that an attacker with privileged access could attempt that would achieve the same aims.