You are here

HomeJohn Lister › Chrome Could Automatically Change Leaked Passwords

Chrome Could Automatically Change Leaked Passwords

John Lister's picture
by John Lister on February, 21 2025 at 12:02PM EST

Chrome may soon make it even easier to change a password after a data breach. An in-test feature would actively change the password on the user's behalf.

The change would affect what happens when Google auto-fills a password field using a stored password. The browser already checks such stored passwords against a database of passwords that have been breached and released publicly.

At the moment Chrome will simply warn users about such a breach and prompt them to change it. However, the user will need to manually go to the password settings section or account settings on the website in question and make the change.

Canary In The Mine

The change has been spotted in Chrome Canary. That's a test version of Chrome where new features are rolled out to users outside of Google for the first time. It's generally only suitable for extremely confident users who are happy with the risk of something going seriously wrong. It's definitely more for enthusiast experimentation than for use as an everyday browser.

The test feature is currently dubbed "Automated password Change". Its description, along with early user experiences, suggests that when Chrome spots a compromised password, it will offer to not only generate a new, secure password, but also change it on the user's account at the website.

As usual with Chrome-generated passwords, there's no human involvement and the user doesn't need to decide or even see the new password, which will be stored in the browser for future use.

AI Not Explained

The feature is categorized in Chrome settings as being an "AI" feature, though it doesn't explain how or why it is using artificial intelligence. It's possible the AI approach is used for finding the account settings section on the relevant site and then identifying the buttons or boxes to request and complete a password change. (Source: windowsreport.com)

As the feature is only in early testing, it's a bit fiddly to use at the moment. It requires changing a setting to manually mark all passwords as compromised (thus triggering the offer to change passwords). That's because it isn't yet connected to a real database of compromised passwords. (Source: arstechnica.com)

What's Your Opinion?

Do you use Chrome's password generation and storage tools? Does the offer to automatically change a compromised password appeal to you? Do you trust Chrome to correctly find and change passwords in user settings sections on different websites?

Filed under:
Security
| Tags:
compromised password
,
chrome
,
passwords
,
password
,
data breach
Rate this article: 
Average: 5 (1 vote)

Comments

Dennis Faas's picture

Submitted by Dennis Faas on Fri, 02/21/2025 - 13:02

This is an interested idea but some password changes often trigger a "password reset" routine. In this case, you would first have to check your email for a confirmation link, then proceed to the website page where your old password must be entered and the new one. This not only changes your password but also ensures that the account owner (who also owns an email address) triggered the password change (reset) in the first place. I have a hard time envisioning how AI would be able to manage this unless you give AI full access to all of your emails and that will surely freak a lot of people out. If you used a gmail address for all your accounts then that would be a different story because gmail is already associated with Chrome (assuming you use Chrome).

Doccus's picture

Submitted by Doccus on Fri, 02/21/2025 - 15:41

Unfortunately the security feature of entering the old password before the new one has such an easy workaround that it's hardly a security feature at all, with most websites you just say "forgot password" and they let you pick a new one via email or text.
THe other problem I can envisage is needing to know the updated PW. I keep a text file of every password, consistently updated, and I need to know the clear text versions of the new password in order to store them, and if they , when entered manually via copy and paste, will work OK as I *never* type in my passwords unless forced. Any ideas?

edit.. Regarding the first statement, obviously they have to gain control of your email first, which is why it's so important to watch your email account regularly. Once they do that they can do remarkable damage in minutes. So if Google ( or whoever) says you have an unidentified login from Tahiti, Nigeria, or Port au Prince, or wherever.. change the passcodes immediately! (of course)..

Need Help? Ask!



My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).

We are BBB Accredited

We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.