Your Password Manager’s Autofill Feature is Hurting You

We all know what they say about passwords and security. To keep your data and information safe, you need to have a long involved password, and it needs to be unique to that website. If you use a browser-based password manager with an autofiill feature to help you with that task, though, you may want to reconsider, as advertisers are able to gather data from those helpful managers.

The Situation


Often, passwords are required to have at least one uppercase letter, lowercase letter, and number, and many times a symbol as well. But the more websites and apps you connect to, the more passwords you’re required to remember. Unless you have a really good memory, it just becomes too tough to remember all those logins with unique passwords.

This is when we start relying on a browser-based password manager. It’s so much easier to have all those difficult-to-remember passwords remembered in that password manager. It will autofill your login information, taking care of all the work for you. And sometimes it will even suggest unique passwords for you, to take care of that whole password task.

But research from Princeton’s Center for Information Technology Policy is claiming that while those password managers seem ultra helpful, they’re also being ultra hurtful as well. They’re also allowing advertisers to pull data and information from the password manager browser add-ons that are able to access the autofill feature.

Stealing Your Information


These add-ons actually use a fairly simple system to steal your information and send it to advertisers. After you ask the add-on to save your information, a tracking script is in place but not visible to you.

After you have signed on with the autofill feature, and you visit a different page on the same site, it includes a tracking script which puts up an invisible autofill form that is again filled in automatically by your password manager, but this time you don’t see it.

The third-party script grabs your email address from that autofill form and sends it to third-party servers, and they use that information to track you.

These tracking scripts were found on 1110 of the Alexa top one-million sites. While those scripts are only collecting your email address from the autofill feature at this point, collecting your password may turn up in future scripts.

Keeping Your Information Safe

To be sure that you’re not falling victim to this ploy, you need to make sure that your browser-based password manager doesn’t automatically fill in that information for you without any input from you.

An example of a password manager that doesn’t exploit you with scripts is 1Password. It’s designed in a way to avoid all of that. A user has to take a specific action in order to get the password to be filled in via the autofill feature.

While there are several different ways to get the login information to be filled in, in every one of those ways the user needs to give the browser the approval to do so. 1Password won’t do it automatically for you, meaning a third-party script doesn’t have the ability to sneak in there and steal that information from the autofill feature.

If you’re concerned about your email being leaked to advertisers and maybe your passwords at some future date, you’ll want to make sure that if you use a browser-based password manager that you use one like 1Password that doesn’t fill in your login information automatically.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.


  1. Does this affect Browser internal password managers as well? if so, which browsers affected?

  2. “if you use a browser-based password manager that you use one like 1Password that doesn’t fill in your login information automatically”
    That still is no guarantee that your password won’t be stolen. If the file storing your passwords is on your computer, it WILL be compromised sooner or later. Storing passwords in the cloud is even more dangerous.

    All password managers have the same single point of weakness – the password to access them. Once that is compromised, the entire file of stored passwords becomes an open book.

  3. How about at least mentioning the built-in password managers in such browsers as Firefox and Chrome. Are they doing autofill stealing or not? I have always relied on these and never third party password managers.

    1. Unless they’ve changed their policies of storing those passwords in plaintext, as they have in the past, you’ve got bigger problems than just the autofill feature when it comes to letting browsers manage passwords.

Comments are closed.