How does Push determine if a password is weak?

For an overview of the Push browser extension and the basic data it collects, refer to this related knowledge base article.

Push uses a browser extension to identify when an employee is using a weak password to log into SaaS applications. If Push has identified one or more weak passwords, you’ll see a Recommended improvement for that employee when viewing the employee’s details in the Push admin console.

Weak password UI message - KB 10066
When an employee has a weak password, you'll see a message in the Push admin console as a recommended improvement.

You can then use ChatOps to encourage employees with weak passwords to update them. To get started messaging employees, enable the ChatOps topic for Fix password issues.

To determine if a password is weak, the Push browser extension checks the password against:

  • A list of top 10,000 weak base passwords

  • Number and special character variations on these weak base passwords, for example: Password1!, January2022

  • Variations on these weak base passwords that replace letters with numerals (1337), for example: P455w0rd.

All password checks are performed locally in the browser extension, and it never sends passwords anywhere. For more details about how Push securely handles discovery of reused passwords, refer to this related knowledge base article.

You can find the list of top 10,000 weak base passwords used in the Push browser extension on Github.