Since I updated to macOS 15.4, in my passwords app, every single password without username is marked as compromised. These passwords don't appear in the security section in the app; yet, when we search the password, it is marked as compromised. When I try to add a new password without username it is marked as compromised. However, when I add the very same password with a username, the warning doesn't appear. Anyone experiencing the same problem? Do you think these passwords are really compromised?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Bug in Passwords app: passwords without username compromised
- Thread starter TecTXp1
- Start date
-
- Tags
- apple passwords bug macos 15.4
- Sort by reaction score
Are you sure it's not because of short and/or simple or very common passwords? I have several Password entries with just a password without any user name, and none of them are marked as compromised. See the security comment for possible reasons you might be seeing them marked as being compromised. E. g.
Attachments
No, I don't think so. It only started happening since the update do Sequoia 15.4. Existing passwords without username that weren't flagged as compromised (that are very long and secure) were since the update flagged as compromised. The same is happening with me on iOS 18.4
Well, the 1a2b3c… is definitely a compromised password, as insecure as password123456 and whichever other simple non-secure passwords. So in this case I definitely believe the Compromised Password security message, and find it more of a bug that it doesn't come up with an alert once a user name is added 
The fact that you say your strong passwords have the same message is more worrying though. What happens if you change one of them slightly, or completely replace it with a different new strong password?
The fact that you say your strong passwords have the same message is more worrying though. What happens if you change one of them slightly, or completely replace it with a different new strong password?
But notice that the 1a2b3c password only appears as compromised when it doesn't have an username. When it has a username, it isn't flagged as compromised; the same is happening with other real passwords. That's what's worrying me. Are these passwords really compromised or it's just a bug?
That is definitely an issue with the different behaviour with the same simple password with or without a user name.… and find it more of a bug that it doesn't come up with an alert once a user name is added
With your strong password only entries though, something seems to be unique to either your setup or your actual passwords, as my screenshot above shows that I do not get any security alerts with any of my single password only entries.
Best to really try and change one of these strong passwords to a completely new one, maybe one randomly suggested by the Password app itself, to see if the problem persists for you.