"This password has appeared in a data leak" notice on iPhone

haveibeenpwned contacts multiple famous services such as wattpad and mathway, etc to see if they have been exposed to hackers and accounts have been sold or leaked, and might also confirm that your email or phone-number is part of that list.

This methodology has some limitations however, as it relies on companies actually admitting and giving a record of emails stating that they have been hacked.

Contrastingly Apple's Keychain services use a different method. Like many VPN services like NordVPN, Keychain actually references many deep web links to compromised accounts and immediately contacts the owner. Quote:

"To verify whether a password not present in the local list is a match involves some interaction with Apple servers. To help ensure that legitimate users’ passwords aren’t sent to Apple, a form of cryptographic private set intersection is deployed that compares the users’ passwords against a large set of leaked passwords. This is designed to ensure that for passwords less at risk of breach, little information is shared with Apple. For a user’s password, this information is limited to a 15-bit prefix of a cryptographic hash. The removal of the most frequently leaked passwords from this interactive process, using the local list of most commonly leaked passwords, reduces the delta in relative frequency of passwords in the web services buckets, making it impractical to infer user passwords from these lookups."

(in short cutting through the bull-**** (excuse the french)) and is way faster and more secure of a system. Heres a link to apples website that explains it sort of well: Password Monitoring

Hope this helps!

Royce

It has nothing to do with your buying a phone from eBay. iOS 14 checks passwords that you enter against a published list of compromised passwords that have been found in data leaks. You can check them yourself at https://haveibeenpwned.com and tapping on Passwords.

The greatest risk is if you use the same password on multiple sites, and/or you don’t use strong passwords (meaning at least 8, and preferably 12 character passwords that don’t any personally identifiable information).

Interestingly, iOS showed me a breach for an account that other websites do not detect as a being hacked.

I checked with avast, f-secure, and haveibeenpwned. None of them show that particular login account for a 3rd party service as being breached, but iOS. I guess Apple is deeper in the darknet than other, so to speak 😉.

I really appreciate this new service from Apple. Well done!

So your explanation as to how Apple knows a password has been breached when no other public website - whose whole purpose is to list breached passwords - doesn't know is what exactly ? Go ahead, .... let's see how much sense YOU make.

Thanks but Lawrence - I have updated my password nearly every few days and the password is not used on similar accounts - so it does not make sense. I could understand if it was the same - I have relied on Apple providing protection now I am thinking of getting a third party protector - seek your opinion

It would still be nice to know where Apple is getting their data from. Some of my passwords are popping on my iPhone, even though the associated email address has no results on haveibeenpwned. I've always used haveibeenpwned as a source of truth on leaks, and now I don't know who to trust if various sources don't agree. Hard to tell if one is missing data, or one is exaggerating it.

So it appears that Apple is only reporting passwords that have been found in a dictionary of leaked passwords. This does not necessarily mean that your exact email/password combo has been leaked, nor linked to a specific website. Whereas haveibeenpwned generally reports actual database leaks of your information. Can anyone confirm this?

Generally hackers who compromise a server get the complete profile of each user, including ID, password, and lots of personal information. The password for any competently managed site is salted and hashed with a strong hash (at least SHA-256, preferably SHA-512). (A “salt” is a semi random string that is appended to the password before hashing.) The hash function generates a seemingly random string of characters, and is not reversible, so just because you have the hashed value of the passcode does not mean that you can easily determine the passcode itself. But many sites skip the salt. For these all you need to do is use a dictionary search and try every combination against the hash function (which you also got from the break-in) until you find a hashed password that matches. I say “you”, but there are plenty of apps that will do this for you while you sleep, or you could just write one; a few lines of C code. Even some salted hashes can be broken, if the salt is simple enough (like the user ID).

This becomes impractical if the password is long enough (20 characters, for example) and allows (and the user chooses) a large number of characters including punctuation. But most sites don’t support long passwords, and many exclude even basic punctuation characters. Apple’s keychain will generate very secure random passwords, but must sites where I have tried to use one of these reject it for either disallowed characters of length.

But the bottom line is that the user ID for every password that has been compromised is known, but not all passwords can be compromised.

We are not even talking about sites that save the password in plaintext and don’t hash it. If your site can tell you the password that you forgot that’s a site you don’t want to ever use. Properly secured sites have a way to create a new password, but cannot tell you what your password is.

Any compromised password has an associated user ID, and also the account it was harvested from. So if you have a password that is on the list anyone who buys your record from the stolen database can access the associated site - unless you also have 2 factor authentication.

But I was just curious, culprit as joking it’s not that serious.

And we would know this how?

I want to find the culprit for me now having to change my password used on 59 other sites

Your statement certainly looked serious.

Yes. My question is where is that list ? How can it be different to the standard list everyone uses ? Unless it is a list of passwords Apple themselves have released in some way why would they know more ?

Sorry, I did not mean to offend you.

I checked different security websites. There is discrepancy between Apple data and publicly available data. Apple should be more transparent and needs to be consistent.

I did not mean to kill the messenger 😉

I came here to look for an answer as this is a very serious issue. And luckily, I found my answer.

But if I still had questions regarding this thread, I wouldn’t dare ask. A couple of higher level ladies/gentlemen gave informative, teaching answers with references and I thank you.

So I am assuming this is the result of the latest security updates. Thank you again.

Apple has access to lists of passwords that have been compromised in data leaks from web sites and e-commerce providers. If you are seeing that message it means your password is on one of the those lists. There are also public lists that you can check, most notably https://havibeenpwned.com where you can check yourself. However, Apple’s list is larger than that one.