"This password has appeared in a data leak" notice on iPhone

If one has a common password, let’s say “qwerty”, one will with 100% probability get warning about breached password. But it only means that this common password has appeared in some data leak. Most likely it has appeared in some other users username/password combination. So it doesn’t mean that your own username/password combination has leaked. It only means that someone somewhere used “qwerty” as password in some site that got hacked.

jarkko274 wrote:

If one has a common password, let’s say “qwerty”, one will with 100% probability get warning about breached password. But it only means that this common password has appeared in some data leak. Most likely it has appeared in some other users username/password combination. So it doesn’t mean that your own username/password combination has leaked. It only means that someone somewhere used “qwerty” as password in some site that got hacked.

Yes, some common passwords do get flagged as poor choices.

There are widely-available lists of the five or ten thousand most common passwords, and I’ve been using those lists as a pre-filter for password selection for various production servers for some years.

Password reuse gets flagged, too.

The bigger risk here involves passwords associated with the account (usually an email address) that have been breached.

Those password pairs then get tested everywhere else. This password attack is sometimes called “cramming”.

And breached passwords do get flagged as higher-priority password changes.

The password listing shown on iPad and iPhone (Settings > Passwords > Password Recommendations) includes the particular risk associated of each listed password is shown. A common password is one such risk. A re-used password is a larger risk. A breached and reused password yet larger. Etc.

For readers here, look at your list of passwords, and work through the higher-priority changes down to the lower-priority changes, a few at a time or more, as time allows.

“Credentials pairs—account and password—that are breached are listed as breached. And listed as serious.”

Nope. It is enough, that that the certain _password_ has appeared in a database of breached password.

if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked in a different site.

When warning says “ This password has appeared in a data leak” it means what it says.

Password has appeared in a data leak. Not necessarily your username/password combination.

Thanks Lawrence followed your advice and according to Apple 220 detected and majority of leaks were associated with Gmail.

Then using https://haveibeenpwned.com/

their results were 11 associated with a iPrimus account (my mail account ) and none detected in my gmail account.

looking at the leaks they were a few years old and do not use those websites

I have changed some of the password but the apple results has not updated so my thoughts are there are issues with the Apple App and I am going to rely on https://haveibeenpwned.com/

cheers

Apple has access to lists of passwords that have been compromised in data leaks from web sites and e-commerce providers. If you are seeing that message it means your password is on one of the those lists. There are also public lists that you can check, most notably https://havibeenpwned.com where you can check yourself. However, Apple’s list is larger than that one.

dpowre wrote:

So it appears that Apple is only reporting passwords that have been found in a dictionary of leaked passwords. This does not necessarily mean that your exact email/password combo has been leaked, nor linked to a specific website.

This is my interpretaion of the messages, which for me do not say that the username/password pair have been leaked only the password.

If this is the case then saying that your account may be compromised seems incorrect if a hacker does not have access to an associated email address or username for a particular site/service.

Are there specific messages that indicate both email/username and password have been found - that would be worrying but simply having one of your passwords in a huge dictionary of known passwords would be far less risky, though clearly hackers could attempt simplified 'brute force' attacks using a dictionary of common passwords used worldwide.

Generally hackers who compromise a server get the complete profile of each user, including ID, password, and lots of personal information. The password for any competently managed site is salted and hashed with a strong hash (at least SHA-256, preferably SHA-512). (A “salt” is a semi random string that is appended to the password before hashing.) The hash function generates a seemingly random string of characters, and is not reversible, so just because you have the hashed value of the passcode does not mean that you can easily determine the passcode itself. But many sites skip the salt. For these all you need to do is use a dictionary search and try every combination against the hash function (which you also got from the break-in) until you find a hashed password that matches. I say “you”, but there are plenty of apps that will do this for you while you sleep, or you could just write one; a few lines of C code. Even some salted hashes can be broken, if the salt is simple enough (like the user ID).

This becomes impractical if the password is long enough (20 characters, for example) and allows (and the user chooses) a large number of characters including punctuation. But most sites don’t support long passwords, and many exclude even basic punctuation characters. Apple’s keychain will generate very secure random passwords, but must sites where I have tried to use one of these reject it for either disallowed characters of length.

But the bottom line is that the user ID for every password that has been compromised is known, but not all passwords can be compromised.

We are not even talking about sites that save the password in plaintext and don’t hash it. If your site can tell you the password that you forgot that’s a site you don’t want to ever use. Properly secured sites have a way to create a new password, but cannot tell you what your password is.

Using a weak password is certainly an issue, though both the folks providing the breach notifications and the miscreants have access to an ever-increasing number of known username and password pairs and those too receive notifications.

To see if and how many breaches that your email address(es) have been caught up in, visit:

https://haveibeenpwned.com/

According to Apple I had over 220 leaks and according to another website recommended by a group member phttps://haveibeenpwned.com/ i have 11

There is no “standard” list. Various security firms collect data that is for sale on the dark web and compile their own lists. I don’t know Apple’s source, but it probably isn’t the same as haveibeenpwned.

tutu786 wrote:

But to keep passwords for every websites is insane.

No, it is not only sane, it is the ONLY way to stay relatively safe. If you use the same password for multiple sites it pretty much guarantees that you will be hacked. Use a password vault app so you don’t have to remember any of them. If you use only Apple products the built in Keychain will do nicely. But all major web browsers also have the ability to save your passwords, including Firefox, Safari, Opera, Chrome, etc. And there are quite a few 3rd party password vaults; here are some (not a complete list):

• 1password (generally considered the best)
• lastpass
• SplashID safe
• Dropbox Passwords

All of these work the same way. They store your passwords using strong encryption, and you only have to remember one password for the app itself to find any password and have it entered automatically into the website or app.

The miscreants will use any password found associated with an email address, and will then try those combinations ~everywhere.

Apple’s re-used password lists do correct themselves, though I’ve found stale password entries in the keychain can need to be located and manually removed after the active password keychain entry is updated—as website logins have moved around with some services, I’ve accrued stale entries, and those still get flagged. Just cleaned up several associated with the old and now-retired Apple login servers, and have more still to clean.

The duplicate-password display in macOS Safari is easier to use, when cleaning up stale and duplicate passwords.

I’d tend to expect that Apple uses their own password servers and data collection, possibly proxying into haveibeenpwned or other services. Apple generates a lot of network traffic, and even light traffic from a billion devices would bury many online network services.

"So you are advocating NOT changing a password that has been leaked?"

I'm recommending changing it. I just want to explain, that if you get the "This password has appeared in a data leak", it does not necessarily mean, that your own username/password has been hacked.

If I would create username jarkko274 and password "qwerty" profile somewhere, I would immediately get the "This password has appeared in a data leak" warning, since "qwerty" has with 100 % certainty appeared in some data leak.

If Apple says your password has been breached, that means it has appeared in a database of passwords that are for sale on the dark web and that have been collected by cybersecurity companies. This has nothing to do with passwords being easily guessed, they produce a different message, likewise for reused passwords. Even if in doubt you should change it, not just trust to luck.

The likelihood that a randomly generated password will be the same for 2 different users approaches zero. Randomly generated passwords are typically 15 or more random characters out of universe of about 70 possible characters in each position. So that means there are 70x70x70…x70 15 times, or 70^15th possible random passwords, or 5x10^27 different passwords.

Honestly, Apple adds a feature to iOS to protect its customers, and they get blamed for “fear-mongering”. As they say, no good deed goes unpunished. How does Apple benefit from telling you your data is at risk?

NOTE: Sorry for my original math error.

jarkko274 wrote:

”If a password you use has been used by someone else, considering that there are trillions and more of possible passwords, it’s a weak password”

You’re right. I’m just discussing the mechanism.

You're debating a point that—even if you are correct, and of which that I doubt—the savings that you achieve here—avoiding a password change—are negligible in comparison to the risk entailed by following your advice should you be wrong about the data that Apple purports to have.

Apple specifically labels weak passwords as weak passwords. Weak. Not as breached passwords.

You have specifically decided that Apple lacks the insight and/or that Apple has bad data around what Apple specifically labels as breached credentials, and thus your conclusion here is that users should discount the data Apple purports to have, and to avoid doing what Apple specifically recommends. All to avoid changing a password that Apple specifically labels as a serious problem.

If you're right—if this is "merely" a common password that'll be easily found by hashcat or other tools—then I've saved the effort of changing a few of what you claim are mislabeled, weak passwords to better password choices. And my "weak" password will be more quickly found in the hashes, should the service associated with that password subsequently be breached. Re-use is bad, but ~all of us reuse some passwords.

If you're wrong—if Apple has found matching credentials in a breach—then I risk the effort of cleaning up after a breach right now, or just as soon as somebody crams the credentials.

I’ll change passwords flagged as breached soonest, and recommend others here do the same.