"This password has appeared in a data leak" notice on iPhone

There is no “standard” list. Various security firms collect data that is for sale on the dark web and compile their own lists. I don’t know Apple’s source, but it probably isn’t the same as haveibeenpwned.

So your explanation as to how Apple knows a password has been breached when no other public website - whose whole purpose is to list breached passwords - doesn't know is what exactly ? Go ahead, .... let's see how much sense YOU make.

It would still be nice to know where Apple is getting their data from. Some of my passwords are popping on my iPhone, even though the associated email address has no results on haveibeenpwned. I've always used haveibeenpwned as a source of truth on leaks, and now I don't know who to trust if various sources don't agree. Hard to tell if one is missing data, or one is exaggerating it.

Any compromised password has an associated user ID, and also the account it was harvested from. So if you have a password that is on the list anyone who buys your record from the stolen database can access the associated site - unless you also have 2 factor authentication.

It has nothing to do with your buying a phone from eBay. iOS 14 checks passwords that you enter against a published list of compromised passwords that have been found in data leaks. You can check them yourself at https://haveibeenpwned.com and tapping on Passwords.

The greatest risk is if you use the same password on multiple sites, and/or you don’t use strong passwords (meaning at least 8, and preferably 12 character passwords that don’t any personally identifiable information).

Interestingly, iOS showed me a breach for an account that other websites do not detect as a being hacked.

I checked with avast, f-secure, and haveibeenpwned. None of them show that particular login account for a 3rd party service as being breached, but iOS. I guess Apple is deeper in the darknet than other, so to speak 😉.

I really appreciate this new service from Apple. Well done!

Thanks but Lawrence - I have updated my password nearly every few days and the password is not used on similar accounts - so it does not make sense. I could understand if it was the same - I have relied on Apple providing protection now I am thinking of getting a third party protector - seek your opinion

Fully agree -According to Apple I have 221 date leaks. I check via haveibeenpwnd and I have 11.

I go onto my my iPad and check my facebook and it states it is active at a town 100 kms away and have not been to that town for 30 years- do a security check with Facebook and haveibeenpwned - the FB Page has not been noted as a leak - so don't know who to trust!

So it appears that Apple is only reporting passwords that have been found in a dictionary of leaked passwords. This does not necessarily mean that your exact email/password combo has been leaked, nor linked to a specific website. Whereas haveibeenpwned generally reports actual database leaks of your information. Can anyone confirm this?

Generally hackers who compromise a server get the complete profile of each user, including ID, password, and lots of personal information. The password for any competently managed site is salted and hashed with a strong hash (at least SHA-256, preferably SHA-512). (A “salt” is a semi random string that is appended to the password before hashing.) The hash function generates a seemingly random string of characters, and is not reversible, so just because you have the hashed value of the passcode does not mean that you can easily determine the passcode itself. But many sites skip the salt. For these all you need to do is use a dictionary search and try every combination against the hash function (which you also got from the break-in) until you find a hashed password that matches. I say “you”, but there are plenty of apps that will do this for you while you sleep, or you could just write one; a few lines of C code. Even some salted hashes can be broken, if the salt is simple enough (like the user ID).

This becomes impractical if the password is long enough (20 characters, for example) and allows (and the user chooses) a large number of characters including punctuation. But most sites don’t support long passwords, and many exclude even basic punctuation characters. Apple’s keychain will generate very secure random passwords, but must sites where I have tried to use one of these reject it for either disallowed characters of length.

But the bottom line is that the user ID for every password that has been compromised is known, but not all passwords can be compromised.

We are not even talking about sites that save the password in plaintext and don’t hash it. If your site can tell you the password that you forgot that’s a site you don’t want to ever use. Properly secured sites have a way to create a new password, but cannot tell you what your password is.

They should say that then, not something untrue.

But I was just curious, culprit as joking it’s not that serious.

And we would know this how?

I want to find the culprit for me now having to change my password used on 59 other sites

Your statement certainly looked serious.

Yes. My question is where is that list ? How can it be different to the standard list everyone uses ? Unless it is a list of passwords Apple themselves have released in some way why would they know more ?