You should avoid reusing passwords on websites. The reason for this is, one group of hackers will successfully steal logins from, say, Dropbox and then share those logins with others, creating a database of passwords. Groups then automate login attempts against other services, say Gmail, using this database of passwords, hoping to gain access to an account without actually having to ‘hack in.’
Safari and Chrome will now monitor these databases of stolen accounts as many have leaked out to be generally available. Here’s Apple’s description of the feature:
“Safari automatically keeps an eye out for any saved passwords that may have been involved in a data breach. Using advanced cryptographic techniques, Safari periodically checks a derivation of your passwords against an updated list of compromised credentials. If a breach is discovered, Safari helps you upgrade your existing passwords. All this is done without revealing your password information to anyone — including Apple.”
The best defence against this is to have unique passwords for each website, which does make remembering them all hard. But Safari will offer to remember the password for you, and it will even suggest a password. UNA recommends you allow Safari to save your passwords. It does this by keeping them in the macOS Keychain.
You can read about using this feature in the following guides:
Autofill your user name and password in Safari on Mac
Manage passwords using keychains on Mac
Chrome will do a similar thing, though you will have to manage the passwords in Chrome and not the macOS Keychain.
What to do when Safari tells you ‘your password is compromised.’
When Safari finds a compromised password of yours, you will see a notification similar to this:
If Safari has notified you of a compromised password, you can change the password by opening Safari, going to the Safari menu -> Preferences -> Passwords.
You can see a list of the compromised passwords, select one, and click the ‘Change on Website’ button.
If this is an old account or the password has already been changed, you can either delete the saved password using the ‘minus’ button at the bottom of the list (make sure what you’re deleting is no longer needed) or edit the saved password by clicking on the ‘Edit’ button.
