Computers & Electronics

Iphone message "this password has appeared in a data leak..."

  • Last Updated:
  • Jun 4th, 2021 11:25 pm
[OP]
Deal Addict
User avatar
Mar 8, 2006
1234 posts
65 upvotes

Iphone message "this password has appeared in a data leak..."

Yesterday I received this message on my iphone "This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately" and it's asking me to change 89 passwords on different sites.

Many of the passwords are not the same although a few are. Does this mean that 89 of my passwords were compromised? How? I did google it but I still don't fully understand.

Thx.
36 replies
Deal Guru
Jun 15, 2012
14548 posts
8501 upvotes
Southern Ontario
Official or spam notification?
[OP]
Deal Addict
User avatar
Mar 8, 2006
1234 posts
65 upvotes
Official in the iphone under the passwords settings.
Deal Addict
Sep 16, 2013
2529 posts
1463 upvotes
SW ON
You gave Apple access to your almost 89 passwords via the phone? What if Apple gets compromised?
Deal Addict
Sep 16, 2013
2529 posts
1463 upvotes
SW ON
What's the general consensus on checking if your password was compromised? By checking you give your password to some unknown website.
Deal Addict
Jun 20, 2020
4880 posts
4745 upvotes
Toronto
alpovs wrote: You gave Apple access to your almost 89 passwords via the phone? What if Apple gets compromised?
89 derivations of your passwords, doesn't reveal your password information to Apple

Safari and iCloud Keychain regularly monitor your passwords against leaked passwords online that may have been involved in a data breach. Apple states that it "uses strong cryptographic techniques to regularly check derivations of your passwords against a list of breached passwords in a secure and private way that doesn't reveal your password information — even to Apple."
from https://ios.gadgethacks.com/how-to/ios- ... s-0341281/
Deal Addict
Sep 16, 2013
2529 posts
1463 upvotes
SW ON
Dhanushan wrote: 89 derivations of your passwords, doesn't reveal your password information to Apple

Safari and iCloud Keychain regularly monitor your passwords against leaked passwords online that may have been involved in a data breach. Apple states that it "uses strong cryptographic techniques to regularly check derivations of your passwords against a list of breached passwords in a secure and private way that doesn't reveal your password information — even to Apple."
from https://ios.gadgethacks.com/how-to/ios- ... s-0341281/
The only thing left is to believe in this. Did anybody inspect the code? Oh, it's not open source.
Deal Guru
Jun 15, 2012
14548 posts
8501 upvotes
Southern Ontario
boneca wrote: Official in the iphone under the passwords settings.
So in Settings > Passwords & Accounts > Website & App Passwords? (because that is where the majority of web pw's are located in iOS)
Deal Addict
Dec 19, 2015
1372 posts
685 upvotes
Calgary, AB
alpovs wrote: What's the general consensus on checking if your password was compromised? By checking you give your password to some unknown website.
I guess you don’t use anything like LastPass or save your login details in your phone or browser?
Deal Expert
Aug 22, 2006
27565 posts
13206 upvotes
Dhanushan wrote: derivations
This is making less and less sense because that's not how passwords and hashing work.

If you hash your password of "password" you get:
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
But if you derive "passw0rd" from it, you get:
8f0e2f76e22b43e2855189877e7dc1e1e7d98c226c95db247cd1d547928334a9
Which is a completely different hash.

So Apple at some point has to get your original password (even in hash form) otherwise it makes no sense.
Even if "password" was compromised, a password like "passw0rd!1" might not be.

As a real life example, I recently signed up for Petro Points. Their password rules state (among others) that your password cannot be "Petro123" so I made mine "Petro124" just because.
Deal Expert
Aug 22, 2006
27565 posts
13206 upvotes
alpovs wrote: What's the general consensus on checking if your password was compromised? By checking you give your password to some unknown website.
I don't.

Even if it was compromised, every website has a unique password so the only password they got was that one.
Deal Addict
Sep 16, 2013
2529 posts
1463 upvotes
SW ON
alpovs wrote: What's the general consensus on checking if your password was compromised? By checking you give your password to some unknown website.
And that's what I meant. OK, the front page asks for an email or phone number. But you can also check if your password was compromised: https://haveibeenpwned.com/Passwords

I don't feel comfortable entering either on the website I don't know much about. Do you? They get this this information once you enter it.
Deal Expert
Aug 22, 2006
27565 posts
13206 upvotes
alpovs wrote: And that's what I meant. OK, the front page asks for an email or phone number. But you can also check if your password was compromised: https://haveibeenpwned.com/Passwords

I don't feel comfortable entering either on the website I don't know much about. Do you? They get this this information once you enter it.
If you scroll down a little, there's a download link to the full hashed password file.
If you hash your own password in SHA1, you can now search if it's in the database completely offline.
This is not as trivial as just putting in your password into a random form on a random website, but it's far more secure.
Deal Addict
Sep 16, 2013
2529 posts
1463 upvotes
SW ON
Andy34 wrote: I guess you don’t use anything like LastPass or save your login details in your phone or browser?
I save my login details in some apps on the phone but I don't use my phone for anything serious like banking or purchasing. I save my login details in browser on my PC. And it's Firefox without a connection to any account, not Chrome which always wants you to connect to your Google account and save everything you do. And not Edge which I think wants the same with Microsoft. And I save my login details in a text file on my PC Face With Stuck-out Tongue And Tightly-closed Eyes Sometimes I think I should copy them to a paper notebook but I've been too lazy to do that.
Deal Addict
Sep 16, 2013
2529 posts
1463 upvotes
SW ON
death_hawk wrote: If you scroll down a little, there's a download link to the full hashed password file.
If you hash your own password in SHA1, you can now search if it's in the database completely offline.
This is not as trivial as just putting in your password into a random form on a random website, but it's far more secure.
That's the way to do it! Maybe I'll do it some day.
Penalty Box
Jun 24, 2015
4965 posts
1497 upvotes
0 downvotes
should be have i been owned but for some reason the guy spelled it pwned how do u pronounce this web site? my godfather pronounces it: "have i been pawned" where as i pronounce it "have i been pwned" exactly as its spelled which confuses the heck out of people
Hi
Deal Addict
Dec 19, 2015
1372 posts
685 upvotes
Calgary, AB
alpovs wrote: I save my login details in some apps on the phone but I don't use my phone for anything serious like banking or purchasing. I save my login details in browser on my PC. And it's Firefox without a connection to any account, not Chrome which always wants you to connect to your Google account and save everything you do. And not Edge which I think wants the same with Microsoft. And I save my login details in a text file on my PC Face With Stuck-out Tongue And Tightly-closed Eyes Sometimes I think I should copy them to a paper notebook but I've been too lazy to do that.
Well that answers whether anyone should listen to you regarding internet security!Face With Tears Of Joy

Top