"This password has appeared in a data leak" notice on iPhone

Just a reminder. The Apple warning may be a false positive. As a few others have chimed in, Apple support says the same and they just want you to change your password. They're inciting fear which is a terrible thing. But it's ok. Insurrection and incitement is perfectly acceptable in the West.

Also, anytime you enter your password online to sites which check for password breaches, you're opening up yourself to being compromised. I suggest after you do this, you change your password anyway.

And to the Apple missionaries and activists, Apple is playing you if you believe they genuinely care about our privacy. They may care more than Huawei or Google, but they still can't be trusted completely. They don't have their own special forces unit or exclusive database that checks your password for breaches. They use what everyone else does.

The miscreants will use any password found associated with an email address, and will then try those combinations ~everywhere.

Apple’s re-used password lists do correct themselves, though I’ve found stale password entries in the keychain can need to be located and manually removed after the active password keychain entry is updated—as website logins have moved around with some services, I’ve accrued stale entries, and those still get flagged. Just cleaned up several associated with the old and now-retired Apple login servers, and have more still to clean.

The duplicate-password display in macOS Safari is easier to use, when cleaning up stale and duplicate passwords.

I’d tend to expect that Apple uses their own password servers and data collection, possibly proxying into haveibeenpwned or other services. Apple generates a lot of network traffic, and even light traffic from a billion devices would bury many online network services.

"I’d tend to expect that Apple uses their own password servers and data collection, possibly proxying into haveibeenpwned or other services. Apple generates a lot of network traffic, and even light traffic from a billion devices would bury many online network services."

And how would only Apple identify compromised passwords that even security companies don't? If anything, they might flag a weaker password as compromised.

As others have said, many times your password isn't compromised. Apple wants you to change it for any number of reasons other than that.

Instead of saying specifically why, they just falsely say it's compromised. That's fear mongering and lying.

I’ve checked and the passwords that Apple flagged, and those had been in dumps of my accounts from else-network. In years past, I did re-use some of what I considered throw-away passwords. Anyway, you do you, of course.

As for hashes, there are two sorts in common use. Digest hashes, which are fast to calculate, but slow to generate collisions (matching hashes), and password hashes, which are intentionally slow to calculate, and slow to generate collisions. The former are unfortunately sometimes misused for passwords. The latter are designed to be resource-intensive for memory and difficult to parallelize, and expensive to implement in hardware.

Brute-forcing passwords is certainly possible, with better password hashes and longer and more robust passwords pushing that brute-forcing into decades or centuries with current hardware.

Brute-forcing involves first trying previously-used passwords (which is what Apple is flagging, here), then trying widely-used passwords, then trying variations of those, then trying every password. The lattermost effort takes a very long time with algorithms such as PBKDF2 and bcrypt, and rather less time with a password store that chose a (quicker-to-calculate) message digest hash.

If one has common password, let’s say “qwerty”, one will with 100% probability get warning about breached password. But it only means that this common password has appeared in some data leak. Most likely it has appeared in some other users username/password combination. So it doesn’t mean that your own username/password has leaked. It only means that someone somewhere used “qwerty” as password in some site that got hacked.

Using a weak password is certainly an issue, though both the folks providing the breach notifications and the miscreants have access to an ever-increasing number of known username and password pairs and those too receive notifications.

To see if and how many breaches that your email address(es) have been caught up in, visit:

https://haveibeenpwned.com/

I’ve had this problem ever since updating to iOS 14.4. Different logins, different passwords, every time I login with Apple stored password this message pops up. It seems that the problem is not with an individual logins but with Apple, either with their settings for password storage, or a leak from iCloud that Apple hasn’t yet disclosed.

dimych28 wrote:

I’ve had this problem ever since updating to iOS 14.4. Different logins, different passwords, every time I login with Apple stored password this message pops up. It seems that the problem is not with an individual logins but with Apple, either with their settings for password storage, or a leak from iCloud that Apple hasn’t yet disclosed.

Apple provides a list of the weak or re-used or breached passwords in Settings > Passwords > Password Recommendations.

Work through that list resolving the problematic passwords, either switching to different passwords, or to generated passwords if you’re using Keychain or another password manager.

If you’d like to know where you’ve leaked passwords and the following breach information acquired from a different source, you can enter your email address into https://haveibeenpwned.com/

No, the problem is not with Apple. Apple is simply the messenger, telling you that a password (or passwords) that you have used have been found in published lists of passwords that have been stolen from various online sites. There are databases that are built by cybersecurity companies going to the dark web and seeing what stolen information is offered for sale by various criminal enterprises. Google offers a similar feature in Chrome, and the site https://haveibeenpwned.com can also tell you if a password that you use has been found in login information stolen from other sites.

If you want to learn about the hundreds of sites that have been hacked (many of which you probably use) Brian Krebs reports on the latest ones: https://krebsonsecurity.com. Some of the largest include Equifax, Marriott Hotels, the US Government’s personnel management agency, and many chain restaurants. And the most recent is almost all sites worldwide that use Microsoft Exchange.

If one has a common password, let’s say “qwerty”, one will with 100% probability get warning about breached password. But it only means that this common password has appeared in some data leak. Most likely it has appeared in some other users username/password combination. So it doesn’t mean that your own username/password combination has leaked. It only means that someone somewhere used “qwerty” as password in some site that got hacked.

That’s true, and anyone who uses such a password deserves what they get. I hope that is very few people.

But what you are missing is that the databases of hacked accounts have both the user ID and matching password, so if your login is janedoe@xyzzy.com, your password is qwerty and your account is with equifax (or any other site, like your bank, the IRS, Social Security, etc) whoever wants to hack your account on equifax has your login AND your password. And also your social security number, your address, your phone number, credit card numbers, your mother’s maiden name and lots of other personal stuff (because when Equifax was hacked all of that information was in their database). So even if you change your password they know enough about you to call equifax, pretend they are you (because they know all your details) and get your password changed. Unless you have 2 factor authentication on your account.

And even that isn’t a guarantee if hacking you is worth enough to them, because they can do a SIM swap and intercept your text messages. SIM swaps are risky enough so they are unlikely to do it for the average person, but there was a front page story in several papers yesterday about someone whose Coinbase account was hacked and $100,000 was taken from their bitcoin account, using a SIM swap.

jarkko274 wrote:

If one has a common password, let’s say “qwerty”, one will with 100% probability get warning about breached password. But it only means that this common password has appeared in some data leak. Most likely it has appeared in some other users username/password combination. So it doesn’t mean that your own username/password combination has leaked. It only means that someone somewhere used “qwerty” as password in some site that got hacked.

Yes, some common passwords do get flagged as poor choices.

There are widely-available lists of the five or ten thousand most common passwords, and I’ve been using those lists as a pre-filter for password selection for various production servers for some years.

Password reuse gets flagged, too.

The bigger risk here involves passwords associated with the account (usually an email address) that have been breached.

Those password pairs then get tested everywhere else. This password attack is sometimes called “cramming”.

And breached passwords do get flagged as higher-priority password changes.

The password listing shown on iPad and iPhone (Settings > Passwords > Password Recommendations) includes the particular risk associated of each listed password is shown. A common password is one such risk. A re-used password is a larger risk. A breached and reused password yet larger. Etc.

For readers here, look at your list of passwords, and work through the higher-priority changes down to the lower-priority changes, a few at a time or more, as time allows.

My point was, that when you get the "This password has appeared in a data leak" warning, it only means, what it literally says. Password has appeared in a data leak. It does not necessarily mean that _your_ username/password combination has appeared in a data leak. If you have a common password, it will very probably appear in some data leak, because some other user has used it.

jarkko274 wrote:

My point was, that when you get the "This password has appeared in a data leak" warning, it only means, what it literally says. Password has appeared in a data leak. It does not necessarily mean that _your_ username/password combination has appeared in a data leak. If you have a common password, it will very probably appear in some data leak, because some other user has used it.

AFAIK, that’s incorrect. If the password is listed as having been included in a data leak, it’s a password pair that’s been breached.

A weak password—one that’s been used often enough in enough other leaks for enough other accounts to become considered a weak password—is flagged as a weak password. That is, it’s a poor password choice, but not a leaked pair.

In any case, this thread will continue to be discussions about weak passwords, re-used passwords, and folks including myself that have had password pairs that have appeared in breaches.

The service linked earlier will show cases where the pairs have leaked: https://haveibeenpwned.com — these are the larger risk, particularly for those of us that have then re-used the pair.

What internal and/or external password services Apple might use for their detection is not documented.

Of course. But if username Bob has password “qwerty” in a site A and username Alice has password “qwerty “in site B and site B gets hacked, Bob will get warning “This password has appeared in a data leak” although Bob’s username/password pair is not hacked.