Apple's New AI Password Manager: Solving Real Security Problems—Or Creating New Ones?

Summary

Apple announced at WWDC26 that the Passwords app in iOS 27, iPadOS 27, and macOS 27 will use Apple Intelligence to automatically change weak or compromised website passwords. The agentic AI feature navigates websites, signs in with existing credentials, generates and enters strong new passwords, and saves them automatically—addressing a critical security problem where users routinely ignore compromised password warnings and fail to take remedial action. While the security benefit is real—research shows users rarely change breached passwords and often reuse similar ones—the feature raises substantial concerns about giving autonomous AI authority to perform high-impact account changes on the unpredictable open web. Key questions about authorization architecture, failure handling, supported website requirements, and approval models remain unanswered as the feature is currently in developer beta, and security professionals emphasize the importance of these details being resolved before the feature reaches consumer users in the fall.

Editorial Opinion

Apple's password-changing agent represents a meaningful step forward in closing the gap between security advice and user behavior, but it fundamentally shifts the risk model from user action to AI authority. The real question isn't whether AI can automate password changes—it's whether we've adequately thought through the security implications of letting algorithms perform sensitive account operations on websites they didn't design and can't fully understand. The devil will be in the details of Apple's authorization architecture, and those details need careful public scrutiny before this becomes a standard consumer feature.