CUPERTINO — The feature Apple announced at WWDC 2026 for its Passwords app sounds almost frictionless: tap once, and an AI agent navigates to each compromised website, signs in, generates a stronger credential, and saves it — all without the user lifting another finger. For the millions of iPhone owners who know their passwords are weak but never get around to fixing them, it could be the most practically useful thing Apple Intelligence has ever done.
Whether it is also secure is a question the company has not fully answered.
Apple described the feature in its WWDC keynote as using “Apple Intelligence and Safari to agentically take action on a user’s behalf,” with Passwords navigating through websites to sign in and upgrade accounts to strong passwords. The existing Passwords app and Safari already flag weak, duplicate, or compromised credentials, but until now have never tried to automatically fix them. The new capability changes that fundamental relationship between the software and the user’s accounts — from advisor to actor.
The operational mechanics, as Apple demonstrated them, are straightforward enough. Users visit the Security tab in the Passwords app, where compromised or weak entries appear in a proactive list. A single tap on a “Fix Passwords” button initiates the process, with progress indicators showing each stage from signing in to confirming the security upgrade, with an option to cancel midway. The passwords Apple generates for replacement are not in dispute. According to NordPass’s online password checker, the strings Apple’s Passwords app produces by default are rated “strong” and would take centuries to crack.
The problem is everything that has to happen between the tap and the confirmation.
Security researcher Kyle Reddoch, writing the day of the WWDC announcement, identified the core issue: an agent changing a password is not text generation. It is an agent taking action with a sensitive credential — and it must understand and perform an entire workflow that can include redirects, pop-ups, unusual password rules, multiple accounts on the same domain, reauthentication prompts, MFA challenges, confirmation emails, and expired sessions. Any one of those steps, handled incorrectly, could lock a user out of an account entirely, or worse, execute a change that a maliciously crafted webpage was designed to intercept.
Reddoch cited the joint Five Eyes intelligence community guidance on the careful adoption of agentic AI services, which identifies the foundational risk clearly: an agent’s privileges directly determine the risk it can introduce. The guidance recommends least privilege, strong oversight, human approval for high-impact actions, detailed logging, and fail-safe behavior when the system is uncertain. Apple’s new Passwords agent carries at least three of those high-privilege capabilities simultaneously — it can authenticate as the user, it can change account credentials, and it can initiate that process across potentially hundreds of accounts in a single session. This is exactly the kind of agentic capability Apple’s Siri overhaul is built around, and where the gap between the marketing and the fine print matters most.
Apple said the new capabilities are powered by the next generation of Apple Foundation Models, running on device and on servers using Private Cloud Compute — the company’s framework for offloading AI workloads to Apple-owned servers with cryptographic commitments that prevent Apple itself from inspecting the data it processes. It is a credible privacy architecture, subject to public audit. But privacy guarantees and security guarantees are not the same thing, and Apple has said little publicly about what happens when the agent encounters a site it cannot successfully navigate, or one designed to mislead it.
The question of thresholds has gone largely unasked in the first wave of coverage. Apple described the feature as targeting “weak and compromised passwords” and “eligible accounts,” but has not defined either boundary publicly. Third-party managers like 1Password grade credentials on a detailed scale, distinguishing between passwords that are merely guessable, reused across sites, or confirmed to appear in known breach databases — three separate categories with different remediation urgency. Whether Apple’s agent will treat reused passwords as “eligible” for automatic change remains unclear from the WWDC presentation, and the distinction matters: a reused password on a bank account and a reused password on an expired newsletter subscription are not the same risk profile.
Apple also showed a Live Activity that lets users monitor the process in real time as credentials are updated across their accounts. That addresses part of the transparency concern. Real-time visibility into a process and meaningful control over a process are different things, however. A Live Activity that reads “Updating account 47 of 200” does not tell the user which websites the agent is currently authenticated against, or whether any of those sessions will remain active after the password update completes. That ambiguity matters particularly for accounts tied to financial institutions or health services, where an unintended active session carries consequences beyond an inconvenient lockout. The scale of credential exposure across the web is already severe enough that the last thing security professionals want is a new pathway for automated account access.
Security professionals have long stressed that weak and reused passwords remain a primary vector for breaches even in 2026, and automating fixes could meaningfully lower that risk for ordinary users who never update credentials manually. That is the genuine value proposition, and it should not be dismissed. The counter-case is that the feature moves Apple from a company that stores credentials on your behalf to one that acts on your behalf — a distinction that matters enormously if Apple Intelligence makes a mistake, encounters an adversarial web environment, or if the agent itself is compromised. A quieter iOS 27 change that lets users fine-tune what agents can do on their behalf would help — but Apple has not confirmed whether such granular controls will ship alongside the password feature.
Reaction among security-conscious users was pointed. On MacRumors, one user wrote that the feature was “a cool way to get locked out of your own accounts by trusting AI to do this ‘simple’ task.” That reads as snark, but it reflects a legitimate engineering concern. A password manager that warns you of a problem is recoverable from. A password manager that acts autonomously across your entire account library is not — at least not without a clear rollback mechanism Apple has yet to describe.
iOS 27 is expected in developer beta immediately following WWDC, public beta next month, and a general release to all users in September. That gives Apple several months to refine the feature before it reaches the more than one billion active iPhone owners who will be offered the option to let their phone handle their passwords for them. Whether those users understand the distinction between “my phone stores my passwords” and “my phone logs into my accounts” — and whether Apple intends to explain it — is the question September will actually answer.
