My wife transferred her passwords in 1Password 7 to Apple Passwords via a CSV file, only to detect that Apple Passwords labelled about a quarter of her passwords as “Compromised”, while 1Password 7 watchtower does not find any problems and HaveIbeenpawned also gives a negative result for her email address.
What is the problem?
Besides, we noted that 1Password 7 and Apple Passwords do not nicely cooperate when entering password information, or trying to update a password. We failed trying to silence/quit one of them to get a clear choice.
My guess, based on the very brief description of the situation above, is that Apple Passwords uses multiple, non-overlapping lists or Apple is using a different list—or lists—than 1Password (1P uses haveibeenpwned so it makes sense 1P and HIBP return similar results).
According to Apple, AP not only compares your passwords to a stored-on-device list of known compromised passwords but also will compare your passwords to an online list of compromised passwords. 1P, on the other hand, relies on a single, online list.
Seems unlikely that the locally stored list contains anything not in the online list. Merely a way to do a local check first with a subset of information.
Depending on how sensitive the affected passwords are (for example, the potential harm of a compromised Netflix password is a lot lower than a compromised bank password), it could be a good idea to change the Apple flagged passwords as a precaution.
