JANUARY 2022 MACWORLD 113entering the password for a site they
weren’t visiting.
But on closer examination and a little
research, I realized it was legitimate. I’d
never received this kind of alert from Apple
in Safari, despite the feature first appearing
in operating system releases in the third
quarter of 2020. (That makes me lucky.)
Because any legitimate security alert
will be duplicated and impersonated by
phishers and scammers, you can validate
that it’s genuine by visiting one of the
following locations:
In iOS or iPadOS, go to Settings →
Passwords.
In Safari, go to Safari → Preferences →
Passwords.
In macOS 12 Monterey, use Safari or
the Passwords preference pane.
In each of those locations, you’ll see an
alert about the password in question. If
you dismiss the alert in Safari, it won’t
appear, however.
Tap or click Change Password on the
website, and Apple opens a browser
window (within Passwords in iOS/iPadOS)
where you can log in and then change
your password, and agree to store the
new one when the operating system
prompts you to update the stored entry. If
the site includes a configuration file in a
special location (fave.co/3ECw6tN), Apple
opens directly to a web page for that site
where you can change your password
without further navigation.
While fixing one password, you can
review others. At the top of the Passwords
list in iOS, iPadOS, and macOS, there’s a
Security Recommendations heading (tap it
in iOS and iPadOS). You can scroll through
a list of potentially compromised
passwords, as well as those the password
system has identified as weak or used by
two or more sites. Change those to reduce
the risk of having accounts hijacked.
And while you’re at, sign up for
notifications at Have I Been Pwned? (fave.
co/3hr8Cxw), a website that emails you if
email addresses you register with the site
appear in a data breach—one that’s
dumped in a public repository or found by
researchers. 1Password relies on this
database, while Apple seems to consult it
along with other sources. ■This Safari Start Page alert seemed suspicious, but it’s legitimate, and you can cross-check it.