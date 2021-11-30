When Safari flashes a ‘Compromised Password’ warning, pay attention

Apple pushes password alerts to Safari’s Start Page, which may seem alarming, but it’s legitimate.

I brought up a Start Page in Safari 15 and a banner at the top read Compromised Password. I first thought that I must have been redirected to a website that looks like the Safari Start Page. The alert looked just like the kind of phishing technique that would lure someone in to entering the password for a site they weren't visiting.

But on closer examination and a little research, I realized it was legitimate. I'd never received this kind of alert from Apple in Safari, despite the feature first appearing in operating system releases in the third quarter of 2020. (That makes me lucky.)

This Safari Start Page alert seemed suspicious in itself, but it's legitimate, and you can cross-check it.

Because any legitimate security alert will be duplicated and impersonated by phishers and scammers, you can validate that it's genuine by visiting one of the following locations:

  • In iOS or iPadOS, go to Settings Passwords.
  • In Safari, go to Safari Preferences Passwords.
  • In macOS 12 Monterey, use Safari or the Passwords preference pane.

In each of those locations, you'll see an alert about the password in question. If you dismiss the alert in Safari, it won't appear, however.

Tap or click Change Password on the website, and Apple opens a browser window (within Passwords in iOS/iPadOS) where you can log in and then change your password, and agree to store the new one when the operating system prompts you to update the stored entry. If the site includes a configuration file in a special location, Apple opens directly to a web page for that site where you can change your password without further navigation.

While fixing one password, you can review others. At the top of the Passwords list in iOS, iPadOS, and macOS, there's a Security Recommendations heading (tap it in iOS/iPadOS). You can scroll through a list of potentially compromised passwords, as well as those that the password system has identified as weak or used by two or more sites. Change those to reduce the risk of having accounts hijacked.

And, while you're at, sign up for notifications at Have I Been Pwned?, a website that emails you if email addresses you register with the site appear in a data breachâ€”one that's dumped in a public repository, or found by researchers. 1Password relies on this database, while Apple seems to consult it along with other sources.

Glenn Fleishman

Macworld.com
