Apple’s AI Now Updates Compromised Passwords—What Risks Lurk Behind the Convenience

How the Automatic Password Reset Works

Apple unveiled a new feature at WWDC 26 that lets its on‑device intelligence automatically replace passwords flagged as compromised. The rollout begins this fall for iOS 18, iPadOS 18, and macOS 15 users who enable the „Secure Pass” option in Settings. The technology promises to reduce phishing exposure while sparking concerns about AI‑driven credential control.

The system scans Apple’s breach‑monitor database, identifies vulnerable credentials, and generates fresh passwords without user input. It then stores the new login data in i Cloud Keychain, syncing across devices. Apple argues the process keeps data local, preserving privacy. Critics, however, warn that delegating password authority to a language model opens doors to prompt injection attacks, accidental lockouts, and misuse on compromised hardware.

When a breach is detected, the AI drafts a secure password based on Apple’s internal strength criteria. It then attempts to log into the associated service using the new secret. If the login succeeds, the AI updates the credential in i Cloud Keychain and notifies the user. Apple says the feature respects existing two‑factor authentication flows, prompting the user only when additional verification is required. Early testers report smooth transitions, but some services reject the AI‑generated passwords, forcing manual correction.

Can Users Trust an AI with Their Login Keys?

Security experts stress that any automated credential manager must be rigorously audited. Prompt injection—where malicious actors embed commands in seemingly benign text—could trick the AI into revealing stored passwords or creating back‑doors. Moreover, if a device is infected with malware, the AI might execute password changes that lock the rightful owner out. Apple counters that the AI runs in a sandboxed environment, isolated from third‑party apps, and that all operations are signed and verified by the Secure Enclave.

The broader implication is a shift toward AI‑mediated identity management. If Apple’s approach proves reliable, other platforms may adopt similar autonomous password services, potentially reducing human error but also amplifying the impact of any vulnerability. Ongoing monitoring, transparent reporting, and user consent mechanisms will be essential to balance convenience with security.

Frequently Asked Questions

What happens if the AI cannot change a password automatically? The system falls back to a manual prompt, asking the user to update the credential through the service’s website or app.

Is the new password stored securely? Yes. All generated passwords are encrypted in i Cloud Keychain and protected by the device’s Secure Enclave, limiting exposure to external threats.

Can I disable the feature entirely? Users can turn off „Secure Pass” in Settings at any time, reverting to traditional password management methods.