Despite the rise of two-factor authentication, password security remains a top priority. Unless your password is unique, relatively long, and hasn’t been detected in a database breach as plain text, you should probably change it. For some sites, you may not have changed the password in years–or ever. (Conversely, if any password for a particular site you use is unique, long, and unbreakable, there’s no valid reason to change it.)
Apple offers a tool to help you fix your worst passwords. Security Recommendations can be found on iOS/iPadOS at Settings > Passwords. On macOS, look for it at System Settings > Passwords (Ventura); o System Preferences > Passwords (Monterey); o Safari > Preferences/Settings > Passwords (all versions of macOS). This is easiest to manage on macOS, so the examples below come from Ventura.
Recommendations are divided into High Priority Recommendations and Other Recommendations. For me, I have 18 in the former category and 68 in the other. (If you don’t have any High Priority Recommendations, it may only show a list.) It’s not clear why Apple promotes certain entries in the high priority category. In my account, items listed as high priority include a financial site, a government (.gov) site, and several Apple sites. The other sites included don’t necessarily have anything in common–perhaps password brevity or how commonly a password word is used.
Warnings listed by Apple
Here’s what you’ll see as warnings in both high-priority and standard-priority entries:
Commonly used password: Passwords identified as commonly used are derived from the results of years of password releases. Passwords that are used by many people can easily be found on the Internet by anyone, especially criminals or other attackers. Apple says, “Many people use this password, which makes it easy to guess.” I found a few test accounts in this category—accounts that I set up and never used or were temporarily set up for me. Passwords are as difficult as writing a and the word password. (These matches are made through information that Apple stores on your computer.)
Crackers who gain access to an account database without proper modern protections that render identical passwords as unique cryptographically obscure entries will first run through a list of the most commonly breached passwords. This allows them to find low-hanging fruit.
Commonly used word. Apple warns you if you use a common word, one that is short and often used in your language. Password crackers are used to run on common words to crack passwords; which may be out of date due to changes in how passwords are stored. But it’s still not smart to have a password that’s all or mostly common words.
Database leaks. Passwords specifically found in database leaks, common or not. Apple’s explanation is “This password appeared in a data leak, which puts this account at high risk of compromise.” These matches are made by Apple remotely against data from breaches compiled by trusted security sources that are licensed, obtained, and stored by Apple using an intelligent cryptographic strategy that prevents them from transmitting your exact password. Their list contains 1.5 billion passwords. You can opt out, however, by disabling Detect Leaked Passwords.
People trying to break into accounts will also use less commonly found passwords depending on the computational resources they have. If a password you use (your own or other people’s in the world) is leaked as plain text, you can’t be sure that someone can’t attack your account with it.
Reused passwords. Apple records this for passwords you use on multiple sites. The text reads, “You are reusing this password on “domain“, which increases the risk to this account if your “domain“Account compromised.”
Sometimes it’s common wisdom to pick a strong password–at one time, one that’s a random sequence of 8 characters, at other times up to 12–and use it everywhere. The advice is to change it from time to time. That advice has long since expired. Now, you must use a password manager, such as the built-in one of Apple’s operating systems, to create and store unique, long passwords for each site and service you register with.
How to upgrade your password quality
Apple has a shortcut that lets you quickly change a weak or compromised password. For high priority entries, click Change Website Password; for other entries, click the entry first and then click Change Website Password.
This may take you to the password change or account management page on the site. Apple has developed a specification that allows a website operator to place a special format file (or use a script to do the same) in https://example.com/.well-known/change-password which redirects to the correct page. If that location exists, click the Change Website Password the button will take you to the right place; otherwise, it will take you to the site’s home page. (If you run a website of any size, very easy to set up.)
If you change the password on the website using Safari, you’ll be prompted to update your stored keychain password.
You can also change the password directly on the spot and then copy and paste it to a website. You can click Edit and then click Create a Strong Password, and the password manager is developing a new, better one. However, you may need the old password to log in–so make a note of the old password before updating it.
This Mac 911 article is in response to a question submitted by Macworld reader François.
Ask for Mac 911
We’ve compiled a list of the questions we’re asked most often, along with answers and links in the columns: read our super FAQ to see if your question is covered. Otherwise, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures if applicable and if you wish to use your full name. Not all questions can be answered, we don’t respond to email, and we can’t provide direct troubleshooting advice.