Google Chrome Will Automatically Change Compromised Passwords

Google has unveiled a new feature in its Chrome browser that allows the built-in Password Manager to automatically update compromised passwords.

While Google Password Manager already notifies users when their credentials have been compromised and helps automate parts of the password update process, users previously had to manually complete the changes for each account. This new feature aims to streamline that process entirely.

The Automated Password Change feature, announced at Google I/O keynote presentation, goes a step farther. It will apparently let you generate a new password and substitute it for the old one with a single click, without ever seeing a "Create New Password" page. The feature only works on participating websites. Google is currently in talks with developers to expand the range of sites that will support one-click password changes, with plans for a full rollout later in 2025.

“When Chrome detects a compromised password during sign-in, Google Password Manager prompts the user with an option to fix it automatically,” according to a blog post. “On supported websites, Chrome can generate a strong replacement and update the password for the user automatically.”

This enhancement builds on existing features that suggest strong passwords during account creation and alert users when credentials appear in known data breaches.

The goal of automated password updates is to streamline the process of securing accounts—eliminating the need for users to navigate through settings or abandon the process midway.

How Websites Can Support This Feature

To integrate with Chrome’s automatic password change, website owners should:

• Use autocomplete="current-password" and autocomplete="new-password" on relevant fields to enable autofill and storage.
• Set up a redirect from yourdomain.com/.well-known/change-password to their password change page.

Users can refer to this guidance article HERE

Read the complete Google announcement HERE

Looking Ahead: Shift Toward Passkeys

This development comes amid a broader move toward more secure authentication methods like passkeys. Earlier this month, Microsoft announced that passkeys would become the default sign-in method for new customer accounts—part of a growing industry trend to better defend against account takeovers.