Was the password randomly generated (e.g., a random 4-word passphrase, which is the best-practice recommendation for how to create a Bitwarden master password)?
Did you use the HaveUBeenPwned Password Check tool to see if they confirm that the password in question has been compromised?
Ty. I should clarify. It’s randomly generated however manually. Something akin to, for example:
Th1$Is@D3centPas$*(#_
for the master password. That one is fine and no complains get raised. But when I add a secret to the vault, on first save it’s fine. But if I edit and save again, then it says pass has been compromised / breached etc.
Likewise, the test password I use for the vault secret I test add, is similarly generated to my example above.
It doesn’t make sense that any pass I generated, results in that google message, since it’s only a few seconds old or max 1 min old. How could it possibly already become compromised / breached in those few seconds. The email I used is also clean and has nothing attached to it on HaveUBeenPwned.
Steps to reproduce:
1 - Click New to create a new user/pass combo.
2 - Select ‘Login’ from drop down.
3 - Fill in the details.
4 - Add in a pass similar to example I provided above.
5 - Save pass.
6 - From main screen left click on the user/pass combination then Edit.
7 - Don’t change anything and save it.
8 - Google Error should be seen.
It almost sounds like there is a password harvester somewhere. So I tested this and logged out of my Google Account. Sure enough, the issue doesn’t happen when I’m not logged into my Google account in Chrome. Based on this single test, sounds like google grab’s the field and checks against itself, though it should know better then to do that.
Repeat your own “Steps to Reproduce”, but in Step 4, instead of trying to create a password yourself, click the icon:
Ensure that your password generator options have been set up as shown below (to generate a password, consisting of 14 characters, including upper- and lowercase letters, numbers, and special characters), then click the Use this password button:
This will create a password that is guaranteed to be unique and never before used by anybody else (which is important, because a given password will be flagged as compromised if any account in the whole world that uses the same password is included in a breach).
After genertaing the random password, for good measure, also click the button to verify that the password has not been seen in any breach:
Having done the above, proceed with Steps 5–8 of your test.
Logged back into my Google account before I proceeded. Then did all this, and in step #4 generated a new 14 length pass including the special characters and clicked the ‘check-circle’ / ‘check-box’ that the password was never used and it was never used.
Clicked ‘Save’ to take the new password and the same Google message:
“The password you just used was found in a data breach. Google Password Manager recommends changing your password now.”
Google’s password manager routinely produces false positives when warning about breaches (perhaps due to a bug, perhaps as a deliberate scare tactic).
Either one of these on its own should be sufficient reason to abandon Google’s password manager, and that’s what I recommend that you do.
Also, from your screenshot, it is evident that you are using the Web Vault app and not the browser extension (which is what is shown in my own screenshots); thus, I have changed your topic tag from app:browser to app:web-vault.