How to use Apple’s new re-used password warning to reduce your risk of account hijacking

A new warning in both iOS 12 and macOS 10.14 Mojave alerts you when you use a password with two or more sites or apps.

Password obscured.
Thinkstock

The biggest risk when setting a password is when you re-use a password across sites and services. If you do this, you’re multiplying the risk of a breach at one of those services, allowing a cracker to try your account name and password from the breached service at other sites. If any match, they’ve now hijacked your account there, too.

A unique password at every site is the goal. And Apple added an alert in iOS 12 and macOS 10.14 Mojave that will help you towards that.

mac911 password reuse safari IDG

This warning tries to push you towards a slightly lower level of risk online. Don’t worry: I’ve changed all those passwords.

In iOS 12, you find it in Settings > Passwords & Accounts > Website & App Passwords. In macOS Mojave, it’s located in Safari, in Preferences > Passwords. Any stored password that’s shared among multiple stored logins has a caution sign (black in iOS, the appropriate yellow in Mojave). Tap the entry in iOS or click the caution sign in Mojave’s Safari, and you get a more complete explanation.

You can also tap or click the proffered link to change the password. Apple will take you either to the account management page on sites that use a URL Apple knows or to the homepage, from which you can navigate. Wherever the site lets you change the password, Safari will autofill the old password and suggest a new, strong one that it retains for you and, with iCloud Keychain enabled, sync that password among all your devices.

In iOS, you can’t view all your reused passwords at once, but have to scroll to find them. Mojave, however, lets you sort by the caution sign in Safari’s preferences: click the empty space at the top of the caution column and it clusters all the reused passwords together, if you want to change them all at once.

As another safeguard, sign up at Have I Been Pwned?, a free service offered by an Australian security researcher and trainer that alerts you whenever a new password breach appears that contains your email address. (The site’s operator doesn’t have your password or know if it’s been cracked.)

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

Related:
  
Shop Tech Products at Amazon