jarkko274 wrote:
Of course. But if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked.
Based on the tags shown in the password recommendations, that appears to be incorrect.
Apple refers to the commonly-used passwords as being “easily guessed”. When these cases do occur, these “easily guessed” passwords are listed in the password report available on iPhone and iPad, with an indication that the password is not a robust choice. This is seemingly what you are referring to above with “qwerty” or similarly common password selections such as “password” or “123456” or such.
Apple detects and flags other of our problem passwords as being “reused passwords”. Which can quickly turn into a larger problem.
The most critical password problems are what Apple lists as “this password has appeared in a data leak”. These are breached credential pairs; cases where your email address or your account name and your password are associated together and are known to others. This is a password problem just waiting for the first botnet to try that credentials pair elsewhere. Which is commonly happening, and Apple IDs can be or are valuable targets.
The “easily guessed” and the re-used passwords are of somewhat lower risk, with those becoming a more serious problem if (when?) those credentials are leaked somewhere.
Per Apple, iPhone also securely monitors your passwords and alerts you if they appear in known data leaks. If you don’t want iPhone to perform this monitoring, go to Settings > Passwords > Security Recommendations, then turn off Detect Compromised Passwords.
I’d encourage leaving this password-detection setting enabled, and resolving weak passwords and re-used passwords as reasonably feasible, and resolving breached passwords immediately.