Upcoming Webinar, Dec 5th — Phish Kit Teardown

Ready to help

How does the Push browser extension securely analyze passwords?

The following is a technical explanation of how the Push extension securely analyzes passwords observed in the browser:

  • When the extension is first installed, a salt (UUIDv4) is generated and stored locally in extension storage.

  • Every time a user logs into a SaaS application, a SHA256 hash of the salt plus password is calculated, and the first 8 characters are stored. This is called a password fingerprint.

  • These salted partial hashes (fingerprints) are stored from the background script of the browser extension, along with the account email address and the SaaS application they belong to. This storage is only accessible from the Push extension itself and is not sent to the Push back end.

Any attempted exploitation of this functionality would require privileged access to the host running the extension, as well as the skill and stamina to successfully complete a brute-force attack by retrieving and then comparing only the first 8 characters of 64-character SHA256 hashes in a universe where trillions of collisions exist (e.g. multiple passwords equating to the same 8-character string). This type of attack would be much more difficult than alternative approaches that an attacker with privileged access could attempt that would achieve the same aims.