I almost searched my password, but didn't press enter. Is my password at risk, because of autocomplete or anything else?

I highly doubt it.

  • You didn't press enter but Google will sometimes send the information to quickly present your results. This is forced over HTTPS. Your information was likely encrypted and not exposed.
  • According to most sources Google processes on average 3.5 billion searches per day. There is no additional information to prove your query is a password. Nor is there any public way for a person to get the search queries of a particular Google user. So they would have to be an actual employee of Google. The likelihood of a internal Google employee to trying your search queries as passwords to your account is highly unlikely. It might not even be possible for most standard Google employees to get such identifying information. But if so, the possibility of one with such access purposely targeting you is astronomical.
  • Again, there is no additional context to prove it is your password. Nor is your user information submitted with your query. So in the event of a MITM attack where they can read your traffic I would still factor it as real low as they would also have to have your username.

I am going to flat out say there 99.9% chance you have nothing to worry about. If you are wearing a tin foil hat or still have a nervous tick then change your password. If you don't use this password elsewhere then you're golden since it isn't like they could log in with an old password. Otherwise I would move on and not worry about it.

Edit: @reirab made a point it could make it pop up in features that use your search history. I don't believe this happens if you don't press submit. But if you want to be sure clear your search history with Google. I can't be sure this clears it from Google's servers but it should prevent them from popping up in the auto-complete.


I recommend that you change your password. The fact is, that your password has been sent to their servers, even if you didn't press enter.

You can test that on your own, open your browser, Ctrl + Shift + I, select network, start typing and monitor traffic.

Here is an example, writing the keyword "test", and not pressing enter.

Pay attention to the letter q, which stand for search query: t, te, tes, test, as you can see this is almost the same thing as a keylogger.

enter image description here


It has been sent (encrypted) to Google. Change your password

It has probably been logged somewhere, along with many search terms and other junk people have typed there. While it's unlikely it will be used for anything you care or that endangers your account, why bear the risk? Simply changing it will solve it.

PS: I recommend using a browser search bar, with suggestions disabled.

Tags:

Logging

Authentication

Passwords

Recent Posts