What should I do if I type my password in the address bar, or type password in google search?
If you accidentally disclose your password -- either through typing it into the address bar, or in any other way -- it's best to change it.
There's no need for any complicated checklist. Simply change that password, everywhere that you used that particular password. This will protect you.
Is it absolutely necessary to change your password if you typed it into the address bar? Perhaps not -- in practice, the risk is probably modest. Then again, why take a chance? If you type it into the address bar, it may be disclosed in cleartext over the network. For instance, if you are currently connected using open Wifi, anyone within range of the network who is eavesdropping could capture your password. Also, your password could potentially be captured in various logs. So, at that point, rather than taking a gamble, the safest thing to do is to immediately change your password. If you do that, you'll probably be fine.
(Originally from here), this is a more detailed answer regarding pasting a password into the...
Address bar
In this scenario, the name resolution is your worst enemy, as it leaks the password in multiple ways. Your password will leak to multiple DNS servers and through the local network – mostly in plain text, even if you are using encrypted connection to your DNS resolver.
- DNS resolvers will not handle the query just within themselves: they will start asking it from the authoritative name servers, starting from the root servers, or from a forwarder that does it for them.
- As this is not a real working domain name, it will be also queried using
- Multicast DNS (mDNS, RFC 6762) and
- Link-Local Multicast Name Resolution (LLMNR, RFC 4795).
- Both mDNS and LLMNR are using IP multicasting.
- By default, ethernet switches will flood these requests to every port, as they won't see the multicast MAC addresses beginning with
01:00:5e
as a source address on any ethernet frame. - Some switches can limit this using IGMP snooping, but it's still possible for anyone to join these multicast groups to get these IP multicast transmissions.
- By default, ethernet switches will flood these requests to every port, as they won't see the multicast MAC addresses beginning with
In addition, the password will leak to your search provider with most modern browsers after the name resolutions fails. Some browsers may also start sending out contents in the address bar even before you have pressed the enter, as explained in an answer for "Does accidentally pasting password into browser URL field send it over the network?".
TL;DR: Change your password.
In this example, testp4ssw0rd
is typed into the address bar of Google Chrome on Windows 10.
The computer
192.0.2.100
has local domain (configured through DHCP)example.com
and, as a common bad practice,example.local
. The192.0.2.254
is a router that also acts as a DNS resolver.- With
example.com
, the resolver, any MITM and thens1.example.com
will know thetestp4ssw0rd
. - With
example.local
, the the NXDOMAIN reply comes from a root server.
- With
The MDNS (
5353/udp
) querytestp4ssw0rd.local
to224.0.0.251
is an IP multicast query message with MAC address01:00:5E:00:00:FB
. It asks the host having that name to identify itself.- Likewise, LLMNR (
5355/udp
) querytestp4ssw0rd
to244.0.0.252
is an IP multicast query message with MAC address01:00:5E:00:00:FC
. - As there wasn't devices with these names, you won't see mDNS/LLMNR responses.