Despite the rise of two-factor authentication, password security remains a top priority. Unless your password is unique, relatively long and was not found in plain text in a database leak, you should probably change it. For some sites, you may have changed the password for years or never. (Conversely, if a password for a particular site you use is unique, long, and inviolate, there’s no valid reason to change it.)
Apple offers a tool to help you recover your worst passwords. Security recommendations can be found in iOS/iPadOS in Institutions > Passwords. Look it up in macOS System settings > Passwords (Venture); or System Preferences > Passwords (Monterey); or Safari > Preferences/Settings > Passwords (all macOS versions). It’s easiest to manage on macOS, so the examples below are from Ventura.
The recommendations are divided into High Priority Recommendations and Other Recommendations. For me, I had 18 in the first category and 68 in the other. (If you don’t have High Priority Recommendations, you may see only a list.) It’s not clear why Apple promotes some listings in the High Priority category. Items listed as high priority with my account include a financial site, a government (.gov) site, and several Apple sites. The other sites included don’t necessarily have anything in common – possibly the shortness of the password or how many times a word was used in the password.
Warnings listed by Apple
Here’s what you’ll see as alerts in both high priority and standard priority listings:
Common password: Passwords that have been found to be used frequently are the result of years of password leaks. Passwords used by many people can now be easily found on the internet by anyone, let alone criminals or other attackers. Apple notes, “A lot of people use this password, which makes it easy to guess.” I found some test accounts in this category: accounts that I created and never used or that were created for me temporarily. The passwords were as bad as the letter a and the word password. (These matches are made through information Apple stores on your computer.)
Crackers that access an account database without proper modern protections that display identical passwords as unique cryptographically obscure entries will run a list of the most commonly compromised passwords first. This is how they find low-hanging fruit.
Commonly used word. Apple warns you if you use a common word, one that is short and commonly used in your language. Password crackers used common words to crack passwords; which may be out of date due to changes in how passwords are stored. But it’s still unwise to have a password that’s all or mostly a common word.
Database leaks. Passwords specifically found in database leaks, common or not. Apple’s explanation is that “This password has appeared in a data breach, putting this account at high risk of being compromised.” These agreements are made remotely by Apple against data breaches collected by reputable security sources that Apple has licensed, acquired and stored using a smart cryptographic approach that prevents them from sending your exact password. Their list contains 1.5 billion passwords. However, you can opt out by disabling Detect Leaked Passwords.
People trying to break into accounts will also use less common passwords, depending on the computing resources they have available. If a password you use (just you or also by other people in the world) has ever been leaked as plain text, you’re not sure if someone could attack your account with it.
Reused passwords. Apple notices this for passwords you use across multiple sites. The text reads: “You will reuse this password on “domain“, which increases the risk to this account if your”domain“account has been compromised.”
Once upon a time, it was generally wise to pick a strong password—then a random string of 8 characters, later as many as 12—and use it everywhere. The advice was to change it from time to time. That advice has long since expired. Now you should use a password manager, such as the one built into Apple’s operating systems, to create and store a unique, long password for each site and service you register with.
How to upgrade your password quality
Apple has a shortcut that lets you quickly change a weak or compromised password. For high priority listings, click Change password on website; for other items, click the item first, then click Change password on website.
This may direct you to the password change or account management page on the site. Apple has developed a specification that allows a website administrator to place a specially formatted file (or use a script to do the same). https://example.com/.well-known/change-password which redirects to the correct page. If that location exists, click the Change password on website button takes you to the right place; if not, it takes you to the homepage of the site. (If you run a website of any size, it’s very easy to set up.)
If you change the password on the website using Safari, you will be prompted to update your saved password in the keychain.
You can also change the password directly and then copy and paste it into a website. You can click Edit and then click Create a strong password, and the password manager generates a new, better one. However, you may have the old password to log in, so make a note of the old password before updating.
This Mac 911 article is an answer to a question from Macworld reader François.
Ask Mac 911
We’ve put together a list of the questions we get asked most often, along with answers and links to columns: read our super FAQs to see if your question is covered. If not, we are always looking for new problems to solve! Email yours to [email protected], including screenshots if applicable and if you want your full name used. Not every question is answered, we don’t reply to email, and we can’t provide direct troubleshooting advice.
