Password breach warning on HL?

dunroving

I got a bit of a surprise fro Google Chrome when I logged into my HL account earlier (see image below). When I clicked on the information bubble, the pop-up said that Google checks passwords that have been "published" and found mine ... and it's not as if I use 1234 or 9999 so I'm a bit confused as to how it would have been published (I realise this doesn't mean "published" in the traditional sense). Apparently, the warning relates not just to the password, but the username and password combination - but my HL username is unique (I don't use it elsewhere). The password is also currently unique.

I only changed the password about a month ago. Has anybody got previous experience of this?

Prism

Its saying that the password that you have used has been seen and used before, but possibly not by you. It doesn't need to be your combination of username/password. 
The only real way to reduce the risk of this is to use a random complex password that doesn't resemble a word in any way. You might get away with a password phrase if HL allows spaces in passwords. I would suggest turning on multi factor authentication too.

Eco_Miser

You can still use a password phrase even if HL doesn't allow spaces. Just omit them, making a rather long word, or replace_with_underscores.

MaxiRobriguez

It's a valid warning. It's not saying you've done anything wrong but that at some point, somewhere on the internet, someone has used the username/password combination as an authentication to a site, and that site leaked that authentication data to a malicious actor.

Whilst your HL account is unlikely to be accessed, you should still change your password as it is a risk that you can mitigate easily. Use a random generator for your next password.

Thank Chrome for the service rather than ignore it!

dunroving

MaxiRobriguez said:

It's a valid warning. It's not saying you've done anything wrong but that at some point, somewhere on the internet, someone has used the username/password combination as an authentication to a site, and that site leaked that authentication data to a malicious actor.

Whilst your HL account is unlikely to be accessed, you should still change your password as it is a risk that you can mitigate easily. Use a random generator for your next password.

Thank Chrome for the service rather than ignore it!

The problem with completely randomly generated passwords is you have to write them down somewhere. I use passwords nobody would guess, but I have a system to remember. As per your advice, I'll change my password (again). 

Eco_Miser

Use a password manager to store (and generate) long complex passwords, and copy/paste them into the password field.
Having a system is great, but it seems somebody else is using the same system, and creating the same password.

happy_hazelnuts

or use the first initial of the words of a song or poem you know - pref an obscure song. A simple example of a password based on that is:

gsogqllonqgstq  (god save the queen)
or

atkhaalkmcphta (all the kings horses...)

Add a capital letter and maybe a special character and you are good to go.

A different song for different sites.

ANGLICANPAT

I have been getting the same problem. I changed my password  and am still getting it.Will try a more complicated   password and see what happens .   My  username is long and unusual  as well as the password not being particularly short or  ordinary  ,so Im quite surprised if its been used elsewhere .  (Its not me either , I have different on every site I use. )

dunroving

ANGLICANPAT said:

I have been getting the same problem. I changed my password  and am still getting it.Will try a more complicated   password and see what happens . 

That's what is slightly confusing me. I use passwords that, while not random, don't mean anything and don't use "real words"

I have changed the password now anyway, and will wait to see if the problem recurs.

Sebo027

happy_hazelnuts said:

or use the first initial of the words of a song or poem you know - pref an obscure song. A simple example of a password based on that is:

gsogqllonqgstq  (god save the queen)
or

atkhaalkmcphta (all the kings horses...)

Add a capital letter and maybe a special character and you are good to go.

A different song for different sites.

Genius idea!

dunstonh

dunroving said:

MaxiRobriguez said:

It's a valid warning. It's not saying you've done anything wrong but that at some point, somewhere on the internet, someone has used the username/password combination as an authentication to a site, and that site leaked that authentication data to a malicious actor.

Whilst your HL account is unlikely to be accessed, you should still change your password as it is a risk that you can mitigate easily. Use a random generator for your next password.

Thank Chrome for the service rather than ignore it!

The problem with completely randomly generated passwords is you have to write them down somewhere. I use passwords nobody would guess, but I have a system to remember. As per your advice, I'll change my password (again). 

Look up bitwarden.   https://bitwarden.com/
There are others (such as LastPass, dashlane etc).