Password compromise?

paulbrians · November 7, 2025, 7:06pm

the Password app on both my IMac and my wife’s is saying that almost all our site passwords are compromised. Has there been some kind of major penetration of Apple? Anybody else experiencing this today?

Halfsmoke · November 7, 2025, 7:47pm

Short answer: no, Apple hasn’t suffered a major breach (unless there is a very recent, undisclosed breach). But the warning does mean you should change all of the flagged passwords plus any passwords you use for more than one site or service right away.

Longer answer: the Passwords application in macOS, iOS, and iPadOS compares your passwords, using a secure and private method, to online lists of passwords that are known to be compromised. So your iMacs are warning you that some of your passwords are included on at least one of these lists.

Suggested next steps:

Change all flagged passwords as soon as possible. These passwords are already available to hackers and criminals.
Change any password you use for more than one website or service as soon as possible.
Turn on 2-factor authentication or turn on Passkeys for all of your online accounts as soon as possible (if this makes you feel overwhelmed or scared, begin by doing this for accounts involving financial information, government agencies, and anything critical to your daily life. Then when you feel more confident, do the remaining accounts).

—————

Information from Apple

One of the compromised website lists probably used by Apple

TonyTownsend · November 7, 2025, 8:58pm

And do use the strong password suggestion from Apple if possible. The Passwords app may be saying that your existing passwords are in the list of “way too guessable”.

And as Halfsmoke says, DO NOT use the same password for multiple sites or applications.

gingerbeardman · November 8, 2025, 8:59am

Let the computer manage your passwords.

I cannot remember a single password I use today.

In fact, you shouldn’t be using passwords that are easily memorable because they’re likely not strong enough. Best is to use a passkey or touchid or faceid, with 2fa.

sea_horse · November 13, 2025, 12:26pm

Don’t use any app to manage your passwords, put them in a sheet instead.

Shamino · November 13, 2025, 3:05pm

That creates a different set of risks.

Keeping passwords on paper means you have to type them in. Which means the really ugly ones that are impossible to memorize (what everybody seems to prefer these days) are going to be hard for you to type in correctly.

You could keep them in a file, and copy/paste the password, but now you’ve got a file that could be exfiltrated by malware, exposing everything to an attacker.
A spoofed web site may trick you. If you were to accidentally go to a spoofed tidbits.com site (e.g. something like t1dbits.com), you might enter your login credentials, giving them to the attacker. A password manager won’t be fooled by similarly-looking domain names or web site layout - it will refuse to fill-in a password if it’s not the correct site.

TonyTownsend · November 13, 2025, 3:20pm

I think (and many of my elderly clients agree) that “sheet” could mean hand-written.

sea_horse · November 15, 2025, 8:46am

Oviously :)

sea_horse · November 15, 2025, 8:48am

Yeah, you are right, but literly put very important passwords on a physical sheet.

TBTdn · November 15, 2025, 9:45am

Well a Sheet could also be a Spreadsheet, perhaps locked with its own password/protection…

If the local risk and frequency is low then on paper is not a bad idea imho. Long passwords consisting of easy to type strings or even copy and pasteable or using text replacement could work.

Using bookmarks in a browser might minimize risk of spoofed urls (or can spoof sites defeat browser bookmarks?, I don’t know, technically), as well as ‘constant vigilence’ of what is in the url field…

Using a password manager to make a printed backup now and then and storing the printout safely (informing trusted persons of location could help in urgent situations) also not bad imho.

Shamino · November 16, 2025, 6:14pm

I think there has been some confusion. When I said “type them in”, I didn’t mean in order to make a paper printout, but rather that you need to type them into web forms as a part of logging-in.

This eliminates one big security feature that comes from a password manager - you can be fooled into typing the password into the wrong site. Whereas a password manager (whether in your browser or a separate app) won’t auto-fill a knock-off site, because the URL’s domain will be different.

And, as I wrote, if your password is sufficiently complicated, it is going to be really annoying to type it in whenever you need it.

generdude · November 21, 2025, 5:22pm

One could create a “formula” for passwords. ex: Type in capital letters the first and fourth letters of the name of the site, then with the rest of the password use something easier to remember for all sites. Use symbols and numbers,

So, for example, for the website tidbits.com, it would look like this: TBa#other35

For Mervins if would be MVa#other35

When I do something like this I am always rewarded with a “strong password” acknowledgment.

Halfsmoke · November 21, 2025, 6:18pm

I’d just add this method is best used in conjunction with 2-factor authentication, especially if one frequently uses public computers (say, at a library) or regularly logs on to sites when one’s screen can be viewed by others (say, while commuting on a train or when flying).

generdude · November 21, 2025, 6:38pm

I do use 2FA or tokens with banking, etc. More and more sites that I go to require it anyway. But I don’t need to do anything in public anymore.

ron · November 21, 2025, 8:06pm

Sites that tell you that you have a “strong password” are doing a simplistic analysis of what it would take to brute-force your password given no other information. In reality, miscreants doing credential stuffing attacks have important additional information. Once a single site with which you have used your password formula has been compromised (and almost everyone has had at least one account compromised, whether they know it or not), the miscreants will start checking trivial variants on your password with other sites that share the same user name or email address. Even if you had six site-specific characters, your other passwords would be cracked in seconds.

Don’t re-use passwords
Don’t re-use parts of passwords
Things that seem inscrutable to humans can be trivial to computers

generdude · November 21, 2025, 9:01pm

I guess I made it too easy for them. oops. And I thought I was so secure.

neil1 · November 23, 2025, 3:38pm

In 2025…the only thing that actually matters is length (I can provide the longer justification for that if desired). 3 or 4 common dictionary words separated by a special character of choice and 4 digits with a couple uppercase is perfectly secure. That way it is sort of memorable and type-able if need be. 20ish long is fine for now. It is true that completely random passwords are ever so slightly more secure…but when the outcome is 20 billion billion centuries to crack instead of 19 who cares. Setup your own system of how many words and what special and digits to use and you will be perfectly fine.

Shamino · November 23, 2025, 5:19pm

I’ve heard arguments from people that even combinations of dictionary words is bad because, they claim, that the tables used for dictionary attacks include common misspellings of every word and all combinations of 2, 3 or 4 or more words.

I think this is complete nonsense, probably concocted as a joke or by someone’s paranoid fantasies. A dictionary table to include all of that would be so large that it would require a massive investment in cloud storage, and running a password file against it would take as long as a brute-force attack.

For example:

English has 828,000 words (source: Wikipedia, citing Wikitionary.) That Wikipedia also cites 470,000 words, via Webster’s Third New International Dictionary. I’ll use the smaller number here, but the larger one will just make my point even stronger.
If we want to cover upper-case, lower-case, and initial-capital, multiply that by 3: 470,000 * 3 = 1.4M combinations (If we want to include all permutations of case, assuming an average word size of 6 characters, multiply by 64: 470,000 * 64 = 30M combinations. But I’ll ignore that situation)
If we want to include character substitutions (e.g. o → 0 or i → !), then multiply the word-count by 24 and add that to the total for 470,000 * 27 = 13M. (12 commonly-used symbols, assuming 2 substitutions per word). (ASCII has 40 symbols, so if we assume 2 substitutions of any of them, then that would result in 470,000 * 43 = 20M, but I’ll skip that bit)
Now, if we want to add in sequences of 1, 2, 3 and 4 words, we come up to:
- 1 word: 13M
- 2 words: 13M² = 161 trillion combinations (multiplied by another factor if we want to count different word-separator characters, but I’ll ignore that)
- 3 words: 13M³ = 2 x 10²¹ combinations (again, not including different word-separator characters)
- 4 words: 13M⁴ = 2 x 10²⁸ combinations.
- Given the orders of magnitude involved, I think we can treat the 4-word combinations as functionally equivalent to the sum of all of the above. If we can test a trillion (10¹²) per second, that still comes to 2.6 x 10¹⁶ seconds, or 821 million years to try them all.

But let’s ignore character substitutions, case and word separators. Just a simple combination of any sequence of 4 dictionary words: would be 470,000⁴, or 4.9 x 10²² combinations. At 1 trillion guesses per second, it would still take 48.8 billion seconds, or over 1500 years.

So I agree completely. Pick any random sequence of four dictionary words and don’t worry about it. Trying to run a hypothetical dictionary attack might be faster than brute force, but it will still take so long as to be pointless.

Update: @Halfsmoke cites Duck Duck Go, which uses 3 words for its auto-generated disposable e-mail addresses. That would be 470,000³ = 1 x 10¹⁷ combinations. That wouldn’t be sufficient for a password, because at 1 trillion guesses per second, that would be only 28 hours to try all combinations. (I’m pretty sure nobody can test 1T per second, but you get my point - it’s several of orders of magnitude less than 4 words).

Of course, even then, any service even remotely competent would suspend the account after a few dozen failures (some may do so after only 3-5). So the concept of trying billions of combinations only works if the attacker has already broken into the service and has stolen the database of password-hashes.

Halfsmoke · November 23, 2025, 7:40pm

The DuckDuckGo email forwarding service has a similar view. When the service first launched, its disposable email addresses were based on random character strings (example: 3hbp#!m@duck.com). Now the addresses are much easier to use and remember because they are based on three random words (example: show-card-jazz@duck.com). As shown above, the new format provides an effectively equivalent level of security.

To get back to the OP’s question, assuming they’re reading anything in this thread, I think online accounts with sensitive information should be protected by either a Passkey or a secure password plus 2-factor authentication. Why? Because current attacks include both dictionary attacks and thefts of entire log-in databases.

Halfsmoke · November 24, 2025, 3:14am

Yes. But that’s OK for DDG’s purposes because all a successful guesser would get would be an address used to forward emails to an email account hosted somewhere else. Not too useful for anything other than untargeted, unpersonalized spam blasts.