How reliable is the Compromised password capability in Safari

Hello!

Lets start off at 1! You can learn more about the detection of compromised passwords here: Change weak or compromised passwords on iPhone - Apple Support. As a security graduate, I can tell you that yes using the same password for everything is really bad! All it takes is one password leak, which in this case happened, and all your accounts are now compromised. Good News! You don't need to remember long and complex password. iCloud Keychain does that for you! You can use iCloud Keychain as a password manager, it will even suggest strong, unique, and random passwords for you to use. All you need know is one strong and unique password (your Apple ID password) and iCloud Keychain will do the rest!

On iPhone:

1. Open Settings on iPhone
2. Scroll down and tap on Passwords
3. Authenticate

Now you can click on the "+" in the upper right corner to add new passwords. You'll need to specify the website, username, and password, but before you fill out anything just tap on the password field. Above the keyboard you'll notice a "Strong Password Suggestion" you can use. This will allow you to use strong and unique passwords. Better yet, when logging onto a website your phone will suggest signing in with his credentials! Preventing you from typing that password every time.

When you sign up for a website, and click on the password field, iCloud Keychain will suggest a strong password for you. After the sign up process you will be given a prompt to save this password in your Keychain. Oh and I forgot to mention, your iCloud Keychain is synced with all your devices! Sign-up for something on your Mac? You can still use those credential on iPhone to authenticate with a website.

Please read the following support pages:

1. Set up iCloud Keychain - Apple Support
2. Manage passwords using keychains on Mac - Apple Support

However, it is worth mentioning that password may change very very soon. At WWDC 2022, Apple announced a new feature called "Passkeys." You can get a brief description from the screenshot below:

Please also read these support pages:

1. Passkeys Overview - Apple Developer
2. About the security of passkeys - Apple Support

I don't want to try explaining it as it's a very complex and advance topic. If you have a chance I'd highly recommend just looking at what Apple and other companies are doing with Passkeys. I'm very interested to see where this goes.

Off to the second one. You need to make sure you're changing the password on the website as well. Then I'd recommend waiting for the system to update. I personally haven't had any compromised passwords, because I always use the iCloud Keychain suggested or very custom passwords I save in iCloud Keychain. I've had friends with no issues with this feature either who did have compromised passwords. I'd recommend just changing the passwords to strong, unique, and random strings (characters) both in iCloud Keychain and on the affected website.

Remember passphrases are better than passwords😉

I know I went into a lot of detail here, but please let me know if you have any further questions! I hope I answered everything!

If you're questioning if you've been compromised, please use this site as well, https://haveibeenpwned.com. All it needs is your email or phone and it will search and see if your account is compromised. It'll also tell you what accounts and from what data breach.

To answer your point #3, if you don't see a prompt to "save" or "update" password from iCloud Keychain it won't save. Whenever it detects a log in form it'll do it's best, but I do agree there is sometimes where it cannot. However, most of the time when logging in website vs app and it doesn't detect it, you'll still be able to see the key icon above your keyboard. From there, you can view all your saved password and then auto fill.

I hope this helps!