Is it Safe to Accidentally Paste Password into Browser URL Field?

Suppose you type or paste some text from the clipboard into the url bar in Chrome browser (but you don’t press ENTER). After deleting the text and changing your password, just to be safe, you wonder –

Did that information get sent to Google?

Answer

In most browsers, yes. This happens because the browser sends the address bar text to a predictive service (commonly Google’s) for search suggestions. Some browsers (eg, Firefox) ask before doing this (just the first time).

How dangerous is this?

Depends on where your browser is sending this suggestion text and how paranoid you are. Eg, Google should use:

https://www.google.com/complete/search?client=chrome&q=%s

And you note that this uses HTTPS, so no one else on the network can see your password. I can’t imagine that any browser would be configured by default to use a suggestion service that doesn’t use HTTPS, but if any did, you’d have to worry about your password thus being visible to anyone listening on your network.

But even with HTTPS, your password can certainly appear in server logs at Google and employees could potentially see it. That said, realistically, there’s not a great deal of risk. Google’s got far too high of a volume of requests to pay attention to any in particular, nor is there any way to know that any given query is a password. So it’s very understandable that you might pass it off as so low risk that it’s not worth changing your password (although it is a non-zero level of risk). I talk about Google here specifically, but the same applies to other major search engines, too.

Leave a Reply

Your email address will not be published. Required fields are marked *