The Digital Security Digest, by Freedom of the Press Foundation (FPF), is a weekly newsletter with security tips that keep you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

Apple’s Passwords app will soon let you automatically update passwords

We know people reuse passwords, and that’s a real problem.

When you reuse your passwords, an attacker only needs to breach one service to get your credentials, and then they can try it out across multiple services to see where else it works. You can isolate the damage by using a password manager, which will help you to create long, random, and unique passwords, and to fill them out automatically when you log in.

After you’re set up, this will be a major time saver. Because your password manager will fill in the correct credentials, you’ll rarely mistype a password or see a “password incorrect” error message again. But to make the most of a password manager, you will need to go into all of the relevant accounts and update your credentials. I really, really don’t love this part.

So in iOS 27, Apple is introducing a feature in its Passwords app that the tech giant says will allow users to automatically upgrade all of their weak or compromised passwords. The app uses a combination of on-device automation and Apple’s Private Cloud Compute, which promises that it will not retain personal user data following a request. Read more about Apple’s new password feature.

What you can do

We always encourage journalists to use a password manager to make it harder for attackers to hijack your accounts. Given that agentic AI sometimes makes mistakes, it’s too soon to tell how well Apple’s new feature will work in the wild. But if it does what’s promised, it would solve a meaningful problem, because — especially when you first get started using a password manager — rotating old passwords is a headache. We hope Apple will nail this, and we’re going to watch it closely and experiment with these new tools. In the meantime, there are some things you can do today.

  • Think through Apple’s Passwords/Keychain offerings. Using iCloud, the Passwords app will save and sync your randomly generated passwords across your Apple devices, and it’s always end-to-end encrypted, so even Apple doesn’t get a copy of your passwords. This is great if you live primarily in Apple land. But I have to tell you, I just generated a strong, unique, random password on my Passwords app — a long mix of random letters, numbers, and symbols. It’s inscrutable, and not something I’d ever want to type in by hand. So if you also use Android, Windows, or other operating systems where you’d need to type in your random password, this could create some minor headaches. This is one reason we typically recommend password managers that work on every major platform, which leads us to …
  • Oh my goodness, just use a password manager. We know that some newsrooms do not use a password manager, or that they are in transition to begin using one. Password managers are an inexpensive (sometimes even free) tool for helping you to minimize the risk of account breaches. We strongly recommend journalists use one, but which one to choose depends on your needs. If you’ve been flirting with the idea, read our guide to choosing a password manager.
  • Don’t stop there. Use two-factor authentication. At some point in the recent past, when you’ve signed into a website or app (e.g., into your bank account), you have probably been asked to type in a second piece of information, like a six-digit code, to prove you are who you say you are. Even if your password is leaked, this second piece of information — a second “factor” — will help to meaningfully harden your account. Check out our guide to two-factor authentication to get started.

Updates from our team

  • We’ve been updating dozens of our articles. Two of the more substantial changes I want to highlight pertain to Signal and WhatsApp. When you call someone (say, a source) on Signal or WhatsApp, you are also making a peer-to-peer connection with them. This means intermediaries, such as your internet service provider, may be able to see who you’re connecting to. This would be a problem if you are talking to someone who does not want to be identified. We have guidance on how to deal with this issue. Check out our English guides to locking down Signal and upgrading WhatsApp security. We’re also in the process of updating our Spanish-language guides accordingly, so look out for those very shortly.
  • Are you joining INN Days in Pittsburgh this week? Say hi to my colleague Abigail LP, who will be in attendance. We’d love to connect and learn about your security concerns.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation