Password Monitoring
Password Monitoring is a feature that matches passwords stored in the user’s Password AutoFill keychain against a continuously updated and curated list of passwords known to have been exposed in leaks from different online organizations. If the feature is turned on, the monitoring protocol continuously matches the user’s Password AutoFill keychain passwords against the curated list.
How monitoring works
The user’s device continuously performs round-robin checks on a user’s passwords, querying an interval that’s independent of the user’s passwords or their password manager usage patterns. This helps ensure that verification states remain up to date with the current curated list of leaked passwords. To help prevent leakage of information related to how many unique passwords a user has, requests are batched and performed in parallel. A fixed number of passwords are verified in parallel on each check, and if a user has fewer than this number, random passwords are generated and added to the queries to make up the difference.
How passwords are matched
Passwords are matched in a two-part process. The most commonly leaked passwords are contained within a local list on the user’s device. If the user’s password occurs on this list, the user is immediately notified without any external interaction. This is designed to ensure that no information is leaked about the passwords a user has that are most at risk due to a password breach.
If the password isn’t contained on the most frequent list, it’s matched against less frequently leaked passwords.
Comparing users’ passwords against a curated list
To verify whether a password not present in the local list is a match involves some interaction with Apple servers. To help ensure that legitimate users’ passwords aren’t sent to Apple, a form of cryptographic private set intersection is deployed that compares the users’ passwords against a large set of leaked passwords. This is designed to ensure that for passwords less at risk of breach, little information is shared with Apple. For a user’s password, this information is limited to a 15-bit prefix of a cryptographic hash. The removal of the most frequently leaked passwords from this interactive process, using the local list of most commonly leaked passwords, reduces the delta in relative frequency of passwords in the web services buckets, making it impractical to infer user passwords from these lookups.
The underlying protocol partitions the list of curated passwords, which contained approximately 1.5 billion passwords at the time of this writing, into 215 different buckets. The bucket a password belongs to is based on the first 15 bits of the SHA256 hash value of the password. Additionally, each leaked password, pw, is associated with an elliptic curve point on the NIST P256 curve: Ppw = ⍺·HSWU(pw), where ⍺ is a secret random key known only to Apple and HSWU is a random oracle function that maps passwords to curve points based on the Shallue-van de Woestijne-Ulas method. This transformation is designed to computationally hide the values of passwords and helps prevent revealing newly leaked passwords through Password Monitoring.
To compute the private set intersection, the user’s device determines the bucket the user’s password belongs to using λ, the 15-bit prefix of SHA256(upw), where upw is one of the user’s passwords. The device generates their own random constant, β, and sends the point Pc = β·HSWU(upw) to the server, along with a request for the bucket corresponding to λ. Here β hides information about the user’s password and limits to λ the information exposed from the password to Apple. Finally, the server takes the point sent by the user’s device, computes ⍺Pc = ⍺β·HSWU(upw), and returns it, along with the appropriate bucket of points—Bλ = { Ppw | SHA256(pw) begins with prefix λ}—to the device.
The returned information allows the device to compute B’λ = {β·Ppw | Ppw ∈ Bλ}, and ascertains that the user’s password has been leaked if ⍺Pc ∈ B'λ.