Summary
- Google Chrome will soon offer to change your compromised passwords.
- Users will only need to click on the “Change it for me” button to update passwords for compromised accounts.
- Website developers must manually add support for this new feature.
Google Chrome comes with a built-in password manager that has steadily improved over the years, making it easier and safer to use. This includes adding passkey support and sharing your saved passwords with family members. The browser can also automatically upgrade passwords to passkeys on compatible sites for a seamless and secure sign-in experience. But none of this solves the problem of compromised passwords and the hassle of manually changing them. Google Chrome now wants to solve this problem for good.
Like the best password managers, Google Chrome’s password manager can check for weak and compromised passwords. It goes without saying that for security reasons, you should immediately change any compromised passwords. But that’s easier said than done, since it’s usually a multi-step, time-consuming process.
At I/O 2025, Google announced that when logging into a website in Chrome with compromised credentials, the browser will display a warning and offer a “Change it for me” button to update your password. It will also automatically update the login credentials in Google’s password manager.
Website developers must add support for this feature, which is why Google is announcing it now, so they have enough time to implement it ahead of the public rollout later this year. As part of this, they must set a redirect from /.well-known/change-password to the change password page of their website.
Google confirmed to The Verge that Chrome won’t silently update your weak or compromised passwords without user consent.
Ideally, Google should work with popular websites and developers to bring such a feature to all password managers. Nonetheless, this is still a nice security improvement in Chrome that will keep your online accounts safe.
No passkey? Websites can fall back to traditional sign-in
Currently, Chrome shows a QR code when you try to log into a service and don’t have its passkey synced to the device you are using. You must then scan the QR code from a device that has the passkey.
To reduce this friction, Chrome will now first check if the passkey of that service is stored on the device being used. If not, it will let websites default to their regular sign-in method. A small change, but it will help websites deliver a seamless login process.
