Chrome Autofill Stopped Filling Forms and Passwords: The Five Settings That Restore It

Chrome autofill suddenly empty? Check three toggles, clear per-site data, audit extensions, and re-sync your account so forms and saved passwords fill instantly again.

Chrome autofill is one of those features I only notice when it breaks. One morning my login credentials filled in instantly; the next, Chrome stared blankly at an empty field while I dug through a password manager I thought I’d retired. After fixing this on my own machine and a half-dozen family laptops, I’ve found that broken Chrome autofill almost always traces back to one of five settings or sync issues. None of them require reinstalling the browser, and most take under five minutes.

This guide walks through each fix in order, from the quickest toggle check to a full settings reset, so you can stop the blank-form frustration without guessing.

Quick Answer

Open chrome://settings/autofill and confirm that Passwords, Payment methods, and Addresses are all switched on. If they are, clear Chrome’s site data for the affected page, then disable extensions one at a time to find any that block autofill. Re-syncing your Google account fixes most of the cases that remain.

Why does Chrome autofill stop working?

Chrome’s autofill system handles three separate types of saved data — passwords, payment cards, and addresses — and each one is controlled by its own toggle. Any of those can be silently switched off by a browser update, a third-party extension conflict, or a corrupted cache entry. The first time it happened to me, the culprit was a Chrome update that quietly reset my Passwords toggle overnight.

Before diving in, confirm which type of autofill broke: passwords for logins, addresses for checkout forms, or payment cards. That single check narrows your fix straight away.

Autofill rarely breaks site-wide — it usually fails for one data type because one toggle, extension, or cache entry went sideways.

How do I confirm autofill is actually enabled?

Start here, because a flipped toggle is the single most common cause and the fastest to rule out.

  1. In the Chrome address bar, type chrome://settings/autofill and press Enter.
  2. Click Passwords and make sure Offer to save passwords and Auto Sign-in are both on.
  3. Click the back arrow, open Payment methods, and enable Save and fill payment methods.
  4. Open Addresses and more and enable Save and fill addresses.

If a toggle is already on but passwords still don’t appear, scroll down the Passwords page and check whether Chrome has a saved entry for that site. If the list is empty, Chrome has nothing to fill — save the password manually once, and it will autofill on every later visit. My own “broken” autofill turned out to be exactly this: no entry had ever been saved.

A toggle that’s off, or a site with no saved entry, accounts for more autofill failures than every other cause combined.

Will clearing the cache fix autofill on one site?

Often, yes. A stale or corrupted cache entry can confuse Chrome’s form-detection engine on a single page while every other site fills normally. You don’t need to wipe your entire history — clearing just the affected site is enough.

  1. Navigate to the site where autofill fails.
  2. Click the padlock or tune icon in the address bar, then choose Site settings.
  3. Scroll down, click Delete data, and confirm.
  4. Reload the page and try the form again.

When the problem spans several sites instead of one, a full cache clear is the better move — my guide to clearing browser cache and cookies covers the cross-browser steps.

Per-site data deletion fixes a single stubborn form without signing you out of every other account you use.

Could a browser extension be blocking autofill?

Frequently. Password managers, ad blockers, and privacy extensions intercept Chrome’s autofill engine, especially when they’re out of date, and an extension conflict is the most common reason autofill suddenly breaks after a Chrome update.

  1. Go to chrome://extensions and toggle every extension off.
  2. Reload the page with the form and test autofill.
  3. If it works, re-enable extensions one at a time, testing after each, until the culprit reappears.

While you’re in there, it’s worth pruning extensions you no longer use — my Chrome memory guide walks through auditing them properly. Note that Dashlane, LastPass, 1Password, and Bitwarden all disable Chrome’s built-in autofill by design; if you run one, its extension, not Chrome, fills your credentials, so make sure it’s enabled and signed into the right account.

If autofill broke right after an update, an outdated extension is the first thing I check.

How do I re-sync my Google account to restore autofill?

Chrome syncs autofill data through your Google account, so a sign-in hiccup can leave the local browser with empty data even when the records still exist online. This is the classic “works on my phone but not my laptop” symptom.

  1. Click your profile icon at the top-right. If you see a sync error banner, click Fix and sign in again.
  2. Otherwise go to chrome://settings/syncSetup, toggle sync off, wait 10 seconds, then turn it back on.
  3. Wait 30 to 60 seconds, reload Chrome, and test the form.

You can verify your saved passwords at Google Password Manager; if they appear there, they should sync back to Chrome within a minute of re-enabling sync.

Re-syncing fixes autofill that works on one device but not another, since the data lives in your account, not the browser.

What if nothing works and I need to reset Chrome?

When every other step fails, a settings reset clears corrupted autofill preferences without touching bookmarks, history, or saved passwords.

  1. Go to chrome://settings/reset.
  2. Click Restore settings to their original defaults.
  3. Confirm the reset; bookmarks and passwords are not affected.
  4. Return to chrome://settings/autofill and re-enable all three toggles, because the reset turns them off.

I reset only as a last resort, because re-enabling the toggles afterward is easy to forget and looks exactly like the original problem.

A reset wipes corrupted preferences safely, but you must switch the autofill toggles back on yourself.

Which fix matches your symptom?

If you’d rather skip straight to the likely cause, match your exact symptom to the fix below.

Symptom Most likely cause Best fix
Passwords never suggested on login Offer to save passwords toggle off Confirm toggles are on
Addresses missing at checkout Addresses toggle off or no entry saved Check and add an address
Used to work, suddenly stopped Extension conflict after a Chrome update Disable extensions
Works on one device, not another Sync error or signed out Re-sync account
All autofill broken at once Corrupted preferences after update Reset settings

Most failures map to one row here, so identify your symptom before working through every step.

Common Mistakes to Avoid

  1. Assuming the website is broken. Most “this site won’t autofill” problems are a Chrome setting, not a site bug. Check the toggles before blaming the page.
  2. Wiping all cookies at once. Clearing cookies site-wide signs you out of every account simultaneously. Use per-site data deletion to target only the problem page.
  3. Running two password managers together. Chrome’s built-in autofill and a third-party extension fighting each other means neither fills reliably. Pick one and disable the other’s autofill feature.
  4. Forgetting to save the password the first time. If you dismissed Chrome’s “Save password?” prompt, there’s nothing stored to fill. Use my saved passwords guide to add credentials manually.
  5. Testing in Incognito and expecting autofill. Chrome disables autofill in Incognito by default; the private browsing explainer covers what Incognito does and doesn’t change. Always test in a normal window.

Skip these five traps and you avoid the mistakes that send most people in circles before they find the real toggle.

Frequently Asked Questions

Why does Chrome autofill work on some sites but not others?
Some sites deliberately block autofill with the autocomplete="off" HTML attribute, and Chrome respects it. For example, my bank’s login page never autofills no matter what I change, because the bank set that attribute for security — so I type those credentials manually.

Does clearing the cache delete my saved passwords?
No. Saved passwords live in Chrome’s Password Manager and sync to your Google account, not in the cache. When I cleared a misbehaving shopping site’s data last month, my login still autofilled on the next visit because the password was never stored in the cache to begin with.

Why did autofill stop working after a Chrome update?
Major updates occasionally reset autofill toggles or introduce extension conflicts. After one update my Passwords toggle had flipped off on its own, so I now check the toggles and my extensions first whenever autofill breaks right after Chrome updates.

Can Chrome autofill a username but not a password?
Yes, and it usually means the password wasn’t saved alongside the username or the site uses a two-step login. I hit this on a site that asks for the email first; opening chrome://password-manager/passwords showed the username stored with no password next to it.

Is it safe to let Chrome autofill payment card details?
Generally yes — Chrome encrypts saved card data and fills it only on HTTPS pages. For extra safety I enabled the verification option in chrome://settings/payments, which now asks for my device PIN before any card number fills.

How do I stop Chrome from autofilling on one specific site?
Open the site, click the padlock, choose Site settings, then Delete data. I did this for a coworking-space portal I only use once a year, then dismissed the “Save password?” prompt so Chrome stopped re-saving it.

Conclusion

Chrome autofill breaks for a short, predictable list of reasons — a disabled toggle, a corrupted cache entry, an extension conflict, or a sync hiccup. Work through these fixes in order and you’ll likely be back to one-click logins in a few minutes. To take full control of everything Chrome has stored, read my saved passwords guide next.

Signs Your Phone Has Been Hacked and How to Take Back Control

Worried your phone has been hacked? I walk through the warning signs and an exact Android and iPhone cleanup plan so you can lock things down today.

Last winter a friend handed me her iPhone because it was “acting possessed” — dead by lunch, random Portuguese-language ads on the home screen, and a password-reset email from her bank she never asked for. Twenty minutes later we found a configuration profile she had been tricked into installing, and the picture snapped into focus. The earlier you catch a compromised phone, the difference between a fifteen-minute cleanup and months of identity-theft cleanup.

I have walked dozens of people through this exact panic, and the pattern is always the same: a few small symptoms that each look innocent until you line them up. Below I cover what a hacked phone actually looks like and the precise steps I use to clean one up on both Android and iPhone.

Quick Answer

The clearest signs your phone has been hacked are sudden battery drain, apps you never installed, unexpected mobile-data spikes, messages sent from your accounts that you didn’t write, pop-up ads, sluggish performance, and password-reset emails you didn’t request. If two or more apply, run a malware scan and change your passwords today.

What Are the Warning Signs Your Phone Has Been Hacked?

Spyware and adware leave fingerprints. Each sign below can have an innocent explanation on its own, but when several appear together I treat the phone as compromised until proven otherwise. Here are the seven I check first.

Is your battery draining far faster than normal?

Malicious apps run silently in the background — tracking location, uploading contacts, streaming the microphone — and all of that burns battery fast. If a phone that once lasted all day now dies by mid-afternoon for no obvious reason, I open Settings > Battery on iPhone or Settings > Battery > Battery Usage on Android and look for an unfamiliar app near the top of the list. On iOS 14+ and Android 12+, a colored dot in the status bar means the camera or microphone is active right now — seeing it while you’re doing neither is a red flag.

Unexplained battery drain plus a live camera or mic dot is one of the strongest early warning signs.

Are there apps you don’t recognize?

I scroll through every home screen and app drawer. Attackers love disguising apps as bland utilities like “System Service” or “Phone Manager” so they blend in. Uninstall anything you don’t remember adding. On Android, also open Settings > Security > Device Admin Apps and revoke admin access for anything you didn’t authorize. Rogue browser add-ons work the same way on desktop, and my guide on browser extensions that spy on you covers that angle in detail.

If an app is on your phone and you can’t recall installing it, treat it as hostile until you confirm otherwise.

Has your mobile data usage spiked?

Spyware exfiltrates messages, photos, and call logs to remote servers, and that traffic shows up in your data totals. I check Settings > Mobile Data on iPhone or Settings > Network & Internet > Data Usage on Android. An app you barely touch sitting at the top of the data list is worth acting on immediately.

A rarely-used app burning large amounts of background data usually means something is shipping your information out.

Are messages going out that you didn’t write?

If contacts say they’re getting strange links or odd messages from you, act right away. Hijacked phones get used to spread phishing links and run premium-rate SMS scams. I open the Sent folder in both Messages and email and scan for anything I didn’t send.

Outgoing messages you never wrote mean your accounts are already being used against your contacts.

Is the phone sluggish or overheating for no reason?

A phone running hot while idle or freezing often is busy with hidden background processes. On its own this could be a software bug or aging hardware, but paired with any other sign here it points to compromise and warrants a scan.

Heat and lag alone are inconclusive, but combined with another symptom they tip the scales toward malware.

Are pop-up ads showing up outside of apps?

Ads on your home screen, or inside apps that never had ads before, are a hallmark of adware that pays attackers to force advertisements onto your screen. When I see ads appearing where they have no business being, a rogue app is almost always the cause.

Ads outside of an app you opened are a near-certain sign of an adware infection.

Are you getting password resets you never asked for?

Password-reset emails you didn’t request, login alerts from unfamiliar places, or sudden lockouts all point to someone methodically taking over your accounts — often starting from access gained through your phone. This escalates within hours, so I act the same day every time. The fastest way to confirm it is to find and remove unknown logins on Google, Microsoft, and Apple.

Unrequested password resets are the loudest alarm on this list — never ignore them.

How Do You Clean Up a Hacked Phone Step by Step?

Once I’m confident the phone is compromised, I work through these five steps in order. Doing them out of sequence — for example, resetting passwords on the infected device before removing the malware — can hand your new credentials straight back to the attacker.

Step 1: Run a malware scan

On Android, I install Malwarebytes (free) and run a full device scan. On iPhone, I go to Settings > General > VPN & Device Management and delete any configuration profile I didn’t install — those profiles are the main way attackers bypass Apple’s protections without a jailbreak, and they were exactly what my friend had been tricked into adding.

Step 2: Remove every app you don’t recognize

Uninstall unfamiliar apps right away. On Android: Settings > Apps. On iPhone: press and hold the icon, then Remove App. If an Android app refuses to uninstall, it likely holds Device Administrator privileges — revoke those at Settings > Security > Device Admin Apps first, then remove it. When an app still resists, I boot into Safe Mode by holding the Power button, then long-pressing “Power off” until the Safe Mode prompt appears; third-party apps are disabled there, so they come off cleanly.

Step 3: Change your passwords, email first

Email is the master key to every other account, so I change it first, then banking, social media, and anything with saved payment details. Use a unique, strong password for each one, and turn on two-factor authentication everywhere it’s offered — my walkthrough on setting up two-factor authentication makes that quick. It’s also worth checking whether your password was already exposed in a data breach.

Step 4: Audit your signed-in devices

I open myaccount.google.com > Security > Your devices for Google and Android, or appleid.apple.com > Devices for iPhone, and remove anything I don’t recognize. Reviewing sign-in times and locations usually surfaces the intruder fast.

Step 4 follow-up: Confirm 2FA is active

Before moving on, I verify two-factor authentication is genuinely enabled and not just half-configured. A single missed account is all an attacker needs to walk back in.

Step 5: Factory reset as a last resort

If malware survives the steps above, a factory reset is the most reliable fix. Back up photos and contacts to the cloud first, then restore from a backup dated before your symptoms began — restoring a post-compromise backup just reinstalls the problem you removed.

Work these steps in order and most phones are fully clean within two hours.

Which Security Tools Should You Use on Android vs. iPhone?

When three or four tools all claim to help, I find a side-by-side comparison settles it fastest. Here’s what I actually reach for, all free or built in.

Tool Platform Purpose Cost
Malwarebytes Android Malware scan and removal Free
Google Play Protect Android Real-time app scanning Built-in
Apple ID Security iPhone Device audit and remote wipe Built-in
Have I Been Pwned Both Check email against breach databases Free

You don’t need to pay for anything — the built-in and free tools above cover the whole cleanup.

Common Mistakes to Avoid

These are the slip-ups I see most often, each with the fix I give people.

  1. Waiting to act. Symptoms don’t resolve on their own, and every hour gives attackers more time to harvest data. Fix: act the same day you notice something off.
  2. Changing only one password. Attackers usually target several accounts at once. Fix: change all important passwords, not just the obvious one.
  3. Restoring a backup without checking its date. A post-compromise backup reinstalls the malware. Fix: restore the most recent backup from before symptoms started.
  4. Skipping permission reviews after a reset. A clean phone can still leak data through over-permissioned apps. Fix: review each app’s permissions before granting them — a flashlight has no business reading your contacts.
  5. Resetting passwords on the still-infected phone. Active spyware can capture the new ones. Fix: remove the malware first, then change credentials from a clean device.

Most of the damage I see comes from rushing the order, not from the malware itself.

Frequently Asked Questions

Can iPhones get hacked?

Yes, iPhones can be hacked, though their closed ecosystem makes it harder. The friend I helped was compromised through a rogue configuration profile she installed after tapping a link in a fake “delivery” text — no jailbreak required.

Does a factory reset remove all malware?

In nearly all cases, yes — a factory reset wipes the device back to its original state. The one exception is firmware-level malware, which is extraordinarily rare; in years of helping people I’ve never seen it outside of news reports about state-sponsored attacks on high-value targets.

How do I check whether my email was exposed in a data breach?

Use Have I Been Pwned, a free and reputable service that checks your address against hundreds of known breaches. I ran my own email through it and found it in two old breaches, which is exactly why I now use unique passwords everywhere.

What is SIM swapping and should I worry about it?

SIM swapping is when an attacker convinces your carrier to move your number to a SIM they control, intercepting your SMS codes. I had a reader hit by this; the fix was calling the carrier directly and adding a SIM-lock PIN to the account, which blocks the transfer.

How long does it take to fully secure a hacked phone?

Most people finish a scan, password change, and account audit in under two hours. When I helped my friend it took about ninety minutes, and adding a factory reset would have added roughly another half hour.

Conclusion

A hacked phone is stressful but very recoverable — the real risk is waiting, because every hour a compromised device sits in your pocket adds to the damage. Work through the steps above the moment you spot two or more warning signs, then make two-factor authentication your permanent first line of defense. Start your scan today.

Claude AI Free Plan: What You Get and How I Make It Last

The Claude AI free plan needs no credit card to start. I break down exactly what you get, where the daily limits hit, and the habits that stretch every session.

The Claude AI free plan is real, and I use it most days without paying a cent. Claude is Anthropic’s assistant, and I lean on it for nuanced writing, careful reasoning, and long documents it reads without losing the thread. Plenty of people still assume it sits behind a paywall — it doesn’t, and you can start without entering any payment details. The free tier is a genuine daily-use tool, not a gated demo.

In this guide I walk through exactly what the free plan includes, where the real limits sit, and the habits I rely on to get work done before I hit a cap. Whether you’re switching from ChatGPT or trying an AI assistant for the first time, you’ll know what to expect before your first session wraps.

Quick Answer

Sign up at claude.ai with an email address or Google account — no credit card required. The free plan gives you Claude Sonnet, document uploads, and multiple conversations per day. When the rate limit triggers, it resets within a few hours. Most people get a comfortable 15–30 standard exchanges before any friction appears.

What Does the Claude AI Free Plan Include?

A free Anthropic account gives you Claude Sonnet, a capable mid-tier model that suits most everyday tasks. Claude Opus, the highest-tier model built for complex reasoning, is reserved for Pro subscribers ($20/month). For writing, summarizing, coding help, and research, I find Sonnet handles the load without a paid upgrade.

Which Tasks Can I Start Right Now?

  • Write and edit — draft emails, cover letters, blog posts, or scripts; ask Claude to tighten prose or match a specific tone
  • Summarize long documents — paste in a research paper, contract, or report and request a structured breakdown
  • Get coding help — Claude handles Python, JavaScript, SQL, and most common languages, and it explains the logic, not just the syntax
  • Brainstorm and plan — work through project outlines, decision frameworks, or idea lists in a back-and-forth thread
  • Refine outputs iteratively — Claude keeps full context within a conversation, so follow-up instructions land without re-explaining background

The free plan covers writing, summarizing, coding help, brainstorming, and iterative refinement on Claude Sonnet.

How Does the Free Rate Limit Work?

The free plan meters usage by volume rather than a fixed message count. Long prompts and large document uploads draw more from your daily allowance than short exchanges. When the limit triggers, you see an in-app notice, and it typically resets within a few hours. Closing and reopening the browser does not reset it — I learned that the hard way during a long editing session.

Pro tip: If you hit the rate limit mid-task, start a new conversation and paste your most recent messages as context. Claude begins each session fresh, but copying a brief summary of the thread lets you continue without losing progress.

Usage is metered by volume, so long inputs cost more, and a triggered limit clears within a few hours.

How Do I Get More Out of Every Free Session?

Two habits stretch my free allowance further than anything else: writing tighter prompts and saving standing instructions in Projects.

Why Should I Write One Focused Prompt Instead of Three Vague Ones?

Claude produces better output when a prompt specifies what I want, why, and what format it should take. “Summarize this in three bullet points for a non-technical manager” is one exchange. “Summarize this” often takes two or three follow-ups to land in the right place. The same habits that sharpen other AI tools work here — see my breakdown of prompting techniques that get smarter AI responses.

Troubleshooting tip: If Claude’s answer feels too broad or generic, I add a single constraint — length, audience, tone, or format. That one addition often turns a mediocre response into a usable one without burning a follow-up.

How Do Projects Save My Standing Instructions?

Free users can create Projects — persistent workspaces that give Claude standing instructions for a topic area. For example: “Always write in plain English, avoid bullet points unless I ask.” Projects don’t reset the rate limit, but they eliminate the time I’d otherwise spend re-explaining context at the start of every session.

Tighter prompts and Projects let one free session do the work of two or three.

How Does Claude Compare to ChatGPT and Gemini on the Free Tier?

Each free assistant leans into something different, so I keep a quick side-by-side handy when I decide which one to open. If you want the full breakdown, I compare them in detail in ChatGPT vs Gemini vs Claude.

Feature Claude (Free) ChatGPT (Free) Gemini (Free)
Free model Claude Sonnet GPT-4o mini Gemini 1.5 Flash
Long document support Yes (large context window) Limited Yes
Cross-session memory No (Projects help) Yes (optional) No
Image generation No Limited Yes (via Imagen)
Live web access No (free tier) Limited Yes

Claude wins on long documents, while ChatGPT offers memory and Gemini adds images and live web access.

What Common Mistakes Should I Avoid on the Free Plan?

  • Pasting a document with no question. Claude handles large text well but needs direction. The fix: always follow a paste with a clear instruction — summarize, extract key decisions, identify weaknesses, or rewrite for a different audience.
  • Treating every answer as fact. Claude can state incorrect information confidently, especially for specific statistics or recent events. The fix: verify anything important first. My AI fact-checking guide shows a two-minute routine that catches most errors.
  • Starting fresh for every follow-up. Claude retains full context in a single conversation. The fix: keep related tasks in one thread, since opening a new chat resets context and burns extra allowance.
  • Expecting live internet results. The free tier has no web access and Claude’s knowledge has a training cutoff. The fix: pair it with a search-native tool for current prices, recent news, or live data.
  • Assuming Claude remembers past conversations. Unlike ChatGPT’s optional memory feature, detailed in What ChatGPT Remembers About You, Claude starts each session blank. The fix: use Projects to set standing context.

Most free-plan friction comes from vague prompts and lost context, not the rate limit itself.

Frequently Asked Questions

Does Claude AI require a credit card to sign up?
No — creating a free account only needs an email address or a Google account. When I signed up, I used a Google login and reached a working chat in under a minute with no payment screen.

How many messages can I send per day on the free plan?
Anthropic doesn’t publish a fixed number; limits depend on usage volume, so longer inputs draw more from your allowance. In my own use, a day of short writing edits ran past 25 exchanges before any rate-limit notice appeared.

Is it safe to use Claude for private or sensitive content?
Avoid sharing passwords, financial credentials, or health details in any AI chat. Anthropic states it does not train production models on conversations by default, and I still review my data settings in the account privacy panel before pasting anything client-related.

What is the difference between Claude Sonnet and Claude Opus?
Sonnet is the free mid-tier model, fast and capable for writing, coding, and analysis; Opus is the Pro-only model built for complex multi-step reasoning. For a long contract summary, I found Sonnet handled it without ever needing Opus.

Can I upload files on the free plan?
Yes — Claude accepts PDF, Word document, and plain-text uploads directly in the chat. When I uploaded a long report, I split it into two files because very large documents count toward the session’s context window limit.

Does Claude have a mobile app?
Yes — Claude is on both iOS and Android at no cost via Anthropic’s official Claude site, with the same free-tier access as the web. I draft on my phone and pick the same thread back up on my laptop.

Is the Claude AI Free Plan Worth It?

Claude’s free plan handles writing, document analysis, and code explanation without a subscription, and its large context window gives it a real edge on the free tier. Open an account, bring one real task from your day, and you’ll know within a single session whether it earns a permanent spot in your workflow.

For most everyday writing and document work, the free plan is more than enough before you ever weigh a paid upgrade.

Spyware Browser Extensions: How I Find and Remove Them in 5 Minutes

Spyware browser extensions hide in plain sight. Here is how I audit permissions in Chrome, Firefox, Edge, and Safari and clear the risky ones fast.

A spyware browser extension rarely looks like a threat. You install a free PDF converter, a coupon finder, or a grammar checker, then forget it exists. Months later that same extension may be reading every page you open, capturing form fields, and quietly sending your browsing history to a data broker you have never heard of. The most dangerous extension on your machine is almost always one you stopped thinking about.

I run this audit on my own laptops every couple of months, and it has never taken longer than a coffee break. Security researchers keep finding popular extensions with millions of users harvesting data and selling it on, so a quick review is cheap insurance against a gap you did not know was open.

Quick Answer

Open your browser’s extension manager (chrome://extensions in Chrome, about:addons in Firefox, edge://extensions in Edge), then review each extension’s permissions. Remove anything you do not recognise, anything requesting access to all websites, and any extension not updated in over a year. Keep only what you actively use.

Why Are Browser Extensions a Security Risk?

Installing an extension grants it real permissions, sometimes sweeping ones. An extension with “read and change all your data on all websites” can reach your banking pages, email inbox, and login forms. Those permissions persist silently too: a legitimate tool can be sold to an untrustworthy company and pushed a new update full of data-collection code without ever alerting you.

An extension’s permissions, not its install count, decide how much damage it can do.

What Do Extension Permissions Actually Mean?

Permission What the Extension Can Do
Read browsing history See every URL you visit
Read and change all site data Access forms, passwords, and banking pages
Read clipboard Capture anything you copy, including passwords
Manage downloads Save or block files on your device
Access tabs Monitor which websites are open at any moment

How Do I Audit My Extensions in Chrome?

Chrome commands the majority of desktop browser usage, which makes it the most targeted platform for malicious extensions. It is also where I start every audit.

Step 1: Open the Extension Manager

Type chrome://extensions in the address bar and press Enter. Every installed extension appears here, including the ones you added months ago and forgot. The first time I did this I found three I could not even name.

Step 2: Review Permissions

Click Details under each extension, then scroll to the Permissions section. An extension that only reads the active tab is far less risky than one demanding access to all your data on all websites.

Step 3: Remove What You Do Not Use

Click Remove for anything you cannot account for. If you are unsure about a specific extension, search its name plus the word “security” to check for reported problems before deciding. Chrome also shows a “Last used” date under each one; anything idle for 30 days is a safe removal target, since reinstalling from the Chrome Web Store takes under a minute if you change your mind.

In Chrome, Details then Permissions tells you in seconds whether an extension can read everything you type.

How Do I Check Extensions in Firefox, Edge, and Safari?

The navigation paths differ slightly, but the goal is identical: open the manager, check permissions, remove the unused.

  • Firefox: Go to about:addons, click the three-dot menu next to any extension, and choose Permissions to review or Remove to uninstall.
  • Edge: Go to edge://extensions, click Details, and check “Access to websites.” Avoid extensions set to On all sites unless the task clearly demands it.
  • Safari (Mac): Open Safari, then Settings, then Extensions. Safari enforces stricter limits by default, but unused extensions still deserve a removal pass.

If removing an extension breaks a website feature you rely on, reinstall it only from the official browser store, never from a third-party download page, which is a common route for distributing compromised versions. For safe-browsing habits that complement this audit, see my guide on how to check if a website is actually safe before entering any personal details.

Every major browser exposes the same two facts: what an extension can access, and whether you still use it.

What Are the Red Flags of a Spyware Extension?

  • Permissions do not match the task. A dark-mode extension has no legitimate reason to read your clipboard or full browsing history.
  • No recent updates. Abandoned extensions get no security patches, yet they keep running with full permissions indefinitely.
  • Unknown or impersonating developer. Malicious extensions often clone the icon and name of a trusted tool. Verify the publisher on the official store listing before installing.
  • Alarming one-star reviews. Filter reviews by one star and look for phrases like “started redirecting searches” or “injecting ads.” Problems usually surface in reviews before any takedown happens.

Google’s documentation on extension permission warnings explains exactly what each install prompt means, and it is worth reading once before your next install. While you are auditing, it is also a good moment to move your logins into a dedicated password manager like Bitwarden, since a rogue extension with broad permissions can read browser-saved passwords as you type.

When the permissions outweigh the job an extension does, treat that mismatch as the warning itself.

Common Mistakes to Avoid

  1. Installing from outside the official store. Third-party sites often bundle extensions with hidden malware. Fix: always use the Chrome Web Store, Firefox Add-ons, or Microsoft Edge Add-ons.
  2. Accepting every permission prompt without reading it. Excessive permissions for a simple task are a clear red flag. Fix: spend 15 seconds reading the list before clicking Add to Chrome.
  3. Forgetting that extensions sync across devices. Chrome extensions linked to your Google account appear on every signed-in device automatically. Fix: check the extension list on each device separately after any audit.
  4. Keeping “just in case” extensions. Every idle extension is an active attack surface with nothing to show for it. Fix: remove it now, since reinstalling from the official store takes seconds.
  5. Assuming a high install count means it is safe. Several extensions with tens of millions of users have been caught harvesting data. Fix: check the developer’s privacy policy and recent reviews, not just the star rating.

Frequently Asked Questions

Can a browser extension steal my passwords?

Yes. An extension with “read and change all your data on websites” permission can capture passwords typed into login forms before they ever leave your browser. I once removed a “free coupon” extension that held exactly that permission despite having no reason to touch a login field.

Are extensions disabled in private or incognito mode?

By default, yes. In Chrome extensions are off in Incognito unless you enable them. When I checked mine, two had “Allow in Incognito” switched on from a setup I had forgotten, which I turned off in chrome://extensions under each extension’s detail panel.

How often should I audit my extensions?

Every one to three months is a sensible rhythm. I tie mine to the start of each season, and I also do a quick pass whenever a browser update drops me into the Extensions menu anyway.

Is there an automated tool that detects bad extensions?

Some security suites flag suspicious extensions, but manual review stays the most reliable approach. When I tested a third-party “extension scanner,” it wanted broad permissions of its own, so I deleted it and went back to the browser’s built-in manager, which lists every active extension already.

Should I use a VPN as well as auditing extensions?

They solve different problems, so use both. A clean extension list stops local snooping, while a VPN encrypts your traffic in transit; my VPN setup guide explains what a VPN does and does not protect.

Conclusion

Keeping your extension list short and intentional is one of the simplest high-impact security moves any browser user can make. Check permissions before every install, revisit the list every few months, and remove anything you cannot account for.

Once your browser is clean, finish the checkup by reviewing unknown logins on your Google, Microsoft, and Apple accounts to close the most common account-level gaps in one sitting.

Private Browsing: What Incognito Mode Actually Hides (and What It Doesn’t)

Private browsing hides local history and cookies, but not your IP or network traffic. See exactly what Incognito mode covers before you trust it next time.

Private browsing sounds like a shield against online surveillance, but most people only learn how narrow it really is after relying on it at the wrong moment. Whether you call it Incognito in Chrome, InPrivate in Edge, or a Private Window in Firefox or Safari, the protection is far thinner than the name suggests. Private browsing hides your tracks from other people on your device, not from the network or the sites you visit.

I have tested every major browser’s private mode while watching the traffic on my own router, and the gap between what people assume and what actually happens is wide. Here is exactly what Incognito covers, what it leaves exposed, and when you need something stronger.

## Quick Answer

Private browsing hides your local browsing history, cookies, and form data from other users of the same device. It does **not** hide your activity from your internet provider, employer, school network, or the websites you visit. For real anonymity, pair it with a VPN or use Tor Browser instead.

In short: private mode cleans your own device, but your connection stays fully visible to everyone else.

## What Does Private Browsing Actually Hide?

Private mode is a local cleanup tool. It controls what your own browser stores on your own machine, and nothing past that.

In short: private browsing erases on-device traces, which is genuinely useful on a shared computer.

### Your local browsing history

When you close a private window, your browser wipes every URL from that session. The History menu stays clean and those sites never surface in address-bar autocomplete. When I share my laptop with family, this is the one feature that earns its keep: nobody stumbles onto my searches or half-finished gift research.

### Cookies and session data

Private browsing opens a blank cookie jar each session. Sites cannot read cookies from your regular profile, and any cookies set during the private session are discarded when you close the window. You start logged out of every service, so there is no cookie-based bridge between your normal and private sessions. If you want to scrub cookies in your main profile too, here is how to clear browser cache and cookies in every major browser.

### Saved form entries and autofill

Anything you type into a form during a private session, including addresses, searches, and login fields, never reaches your browser’s autofill. I rely on this whenever I borrow someone else’s machine to check a booking or sign into an account I will not use again.

## What Does Private Browsing Fail to Hide?

This is where assumptions get people in trouble. Private mode does nothing to the connection itself.

In short: your network, your provider, and every site you load still see you in full.

### Your IP address and internet provider

Your ISP sees every domain you connect to, private mode or not. Your IP address is equally visible to every website you load. Incognito only touches your local device, so it has zero effect on the connection. For network-level privacy you need a VPN; for near-full anonymity, Tor Browser routes traffic through several encrypted relays.

### Your employer, school, or home router

Network administrators can log DNS queries and outbound connections at the router level. Opening Incognito on a work laptop hides nothing from IT. The same is true at home, where anyone with router admin access can read the domains that were queried. I watched my own DNS log light up with every “private” site I visited during a test, which is exactly how people end up with real disciplinary consequences after assuming they were invisible.

### Website analytics and device fingerprinting

Google Analytics, Meta Pixel, and similar scripts identify visitors by IP address and device fingerprint, not cookies alone. In Incognito, a site still registers a visit from your IP. Fingerprinting also reads your screen resolution, installed fonts, and browser settings to build a signature that survives across sessions. If a paywalled article still counts your reads in a fresh Incognito window, it is tracking your IP or fingerprint, and switching networks or a VPN usually resets the counter.

### Malware and dangerous downloads

Private mode offers no protection against malicious downloads or phishing pages. A file you download in Incognito still runs on your system exactly the same way. Keep your antivirus active no matter which mode you browse in.

## Which Browser Has the Best Private Mode?

All four major browsers offer a private window, but they do not protect you equally. The table below shows how each one compares.

In short: Firefox and Safari block trackers in private mode by default; Chrome and Edge do not.

Browser Mode Name Shortcut (Win / Mac) Blocks Trackers by Default?
Chrome Incognito Ctrl+Shift+N / ⌘+Shift+N No
Firefox Private Window Ctrl+Shift+P / ⌘+Shift+P Yes (Enhanced Tracking Protection)
Edge InPrivate Ctrl+Shift+N / ⌘+Shift+N No
Safari Private Window ⌘+Shift+N Yes (Intelligent Tracking Prevention)

Firefox is the strongest out-of-the-box choice for private sessions: its Enhanced Tracking Protection blocks third-party trackers automatically, going beyond what Chrome and Edge do in their private modes.

## What Are the Most Common Private Browsing Mistakes?

These are the assumptions I see catch people out most often, with the fix for each.

In short: most private-browsing mistakes come from expecting it to do a job it was never built for.

1. **Assuming you are anonymous.** Private browsing only removes local traces. Fix: pair it with a trusted VPN for any network-level privacy.
2. **Trusting it on a work or school device.** Administrators see traffic at the router level regardless of browser mode. Fix: use your own device and network for anything sensitive.
3. **Staying signed into Google or Facebook.** Once you log in, those companies link your browsing to your account. Fix: sign in only when you genuinely need to, then sign out.
4. **Treating it as malware protection.** Downloaded files and malicious scripts execute identically in Incognito. Fix: keep antivirus running at all times.
5. **Forgetting your location is still visible.** GPS permissions and IP geolocation behave the same in private mode. Fix: deny the location prompt when you want it hidden from a specific site.

## Frequently Asked Questions

In short: private mode protects you locally, so its limits show up the moment your traffic leaves your device.

### Can my parents see my Incognito history?

Yes, if they use the router admin panel or parental-control software. For example, when I checked my own router’s log, every domain I visited in Incognito appeared there, because those tools record DNS queries at the network level regardless of browser mode.

### Does private browsing delete history automatically?

It deletes your local browsing history the moment you close the window. Logs held by your ISP, your router, or the websites you visited are untouched. For instance, the travel site you booked through still has its own server-side record of your visit.

### Is Incognito mode safer for online banking?

It is no more or less secure for the connection itself, since HTTPS handles encryption either way. The real benefit on a shared device is that your session cookies and login state vanish when you close the window. For ongoing credential safety, review your saved passwords across Chrome, Firefox, Edge, and Safari.

### Does Chrome Incognito block ads?

No. Most extensions, including ad blockers, are disabled in Incognito by default. For example, my uBlock filter stays inactive until I explicitly allow it under “Allow in Incognito” at chrome://extensions.

### Can websites tell I am using Incognito mode?

Sometimes. Some sites probe filesystem API behavior to guess private mode. It is harder to do reliably than it once was, but on certain browser and site combinations it still works, which is why a few paywalls quietly block private windows.

### What is the best free way to browse more anonymously?

Tor Browser, which is free and open source, routes your traffic through three relays and strips many fingerprinting signals. It is slower than a standard browser, but I reach for it when anonymity matters more than speed. If you also want to cut tracking prompts at the source, learn how to stop intrusive browser notifications and pop-ups.

## Conclusion

Private browsing is a solid tool for keeping local history clean and protecting form data on shared devices. It is not a privacy cloak: your ISP, your network admin, and every site you visit still see your traffic.

In short: use private mode for local cleanup, and add a VPN or Tor whenever the connection itself needs to stay private.

Pair private mode with a trusted VPN for real network-level protection, and decide before each session which job you actually need it to do. Try opening a private window now and check what it does and does not erase on your own setup.

See Who Is Connected to Your Wi-Fi and Block Unknown Devices

See who is connected to your Wi-Fi in minutes: log into your router, spot unfamiliar devices, and lock out freeloaders with a new password or MAC filter today.

See who is connected to your Wi-Fi and you can spot a freeloading neighbor, a forgotten old phone, or a stranger camped on your network in about two minutes. Your home router quietly keeps a live list of every device on the line, and reading it takes nothing more than a browser and your router password. The single most powerful move is also the simplest: changing your Wi-Fi password instantly kicks off everyone you do not recognize.

I run this check on my own network roughly once a month, and the first time I did it I found a “DESKTOP” entry I could not place. It turned out to be my own NAS, but the two minutes of doubt were exactly why this habit is worth building.

Quick Answer

Open a browser and go to your router’s admin page, usually 192.168.1.1 or 192.168.0.1. Log in with the credentials printed on the router label, then open “Connected Devices,” “DHCP Clients,” or “Device List.” To remove anyone you do not recognize, change your Wi-Fi password and reconnect only your own devices.

How Do I Log Into My Router Admin Page?

Type your router’s IP address into a browser, then sign in with the admin credentials on its label. Finding that IP takes one command or one settings screen.

Find Your Router’s IP Address

On Windows, press Win + R, type cmd, and run ipconfig. Look for “Default Gateway” — that is your router’s IP. On a Mac, open System Settings > Network > Wi-Fi > Details > TCP/IP. On iPhone or Android, tap your connected Wi-Fi network in Settings and read the Router or Gateway field. The most common defaults are 192.168.1.1, 192.168.0.1, and 10.0.0.1.

Open the Admin Panel

Type that IP into the browser address bar and press Enter. A login screen appears. Default credentials (often admin/admin or admin/password) are printed on a sticker on the bottom or back of the router. If you changed them and forgot, a factory reset restores the defaults.

Change the Admin Password While You Are In

The first time I logged into my own panel, the admin password was still the factory default — and so is most people’s. Set a unique one under Administration or Management right away, because those factory logins are published online and any device already on your network could use them to reconfigure your router.

Two minutes in your router panel gets you both the device list and a quick admin-password upgrade.

Where Is the Connected Devices List on My Router?

Look for a menu labeled “Connected Devices,” “DHCP Client List,” “Attached Devices,” or “LAN Clients” — the exact wording varies by brand. On most routers it lives under Status, Home Network, or Basic. Each entry shows three things:

  • IP address — the local address your router assigned to that device.
  • MAC address — a hardware fingerprint unique to each network adapter.
  • Hostname — the name the device reports, such as “Johns-iPhone” or “DESKTOP-AB12CD.”

If you do not see the list immediately, check the Status and Home Network menus before assuming your router lacks one.

How Do I Identify What Each Device Is?

Match the MAC address in the router list against your own devices before you panic — smart-home gadgets, mesh nodes, and consoles often carry cryptic names. Here is how I confirm each one:

  1. On Windows, open Command Prompt and run ipconfig /all. Match the “Physical Address” (MAC) to the router entry.
  2. On a phone, go to Settings > Wi-Fi, tap your network name, and read the MAC address on the detail screen.
  3. Smart speakers, bulbs, and cameras usually show a brand name like “Amazon-Echo,” “Philips-Hue,” or “Ring-Camera.”

If an entry has a random string for a hostname, or a blank name you cannot account for, treat it as suspicious. One caution from experience: a device you just powered off can linger for 10 to 15 minutes until the router releases its DHCP lease, so check the “Active” or last-seen column before blocking anything.

A MAC match against your own hardware is the only reliable way to tell a freeloader from your own smart bulb.

What Is the Best Way to Block Unknown Devices?

Changing your Wi-Fi password is the strongest fix because it disconnects everyone at once; MAC filtering is the surgical option when you want to remove one device without disrupting the household.

Option A: Change Your Wi-Fi Password (Recommended)

This instantly disconnects every device on the network, and only the ones you re-enter the password on reconnect.

  1. In the admin panel, open Wireless or Wi-Fi Settings.
  2. Find the WPA2/WPA3 Password or Security Key field.
  3. Enter a new password of at least 12 characters mixing upper, lower, numbers, and symbols.
  4. Save and apply. Everything on the network drops immediately.

Option B: Block by MAC Address (Targeted)

Use this when you want to remove one specific device without making everyone re-enter a new password.

  1. Copy the unknown device’s MAC address from the device list.
  2. Open MAC Filtering, Access Control, or Block Devices.
  3. Add the MAC to the block list and save.
Router Brand Device List Location Block Option
Netgear Advanced > Attached Devices Block Device button per entry
TP-Link Advanced > Network Map Blacklist in Wireless > Advanced
ASUS Network Map > Clients Block from client details panel
Linksys Status > Local Network > DHCP Table Wireless MAC Filter section
Xfinity Admin UI > Connected Devices Pause device in xFi app

MAC filtering can be bypassed by someone who spoofs their hardware address, which is exactly why I lean on Option A for anything that genuinely worries me. While you have the network locked down, it is also worth confirming your security mode is WPA2-AES or WPA3, and if your connection still feels slow afterward, our guide to eliminating Wi-Fi dead zones covers the placement fixes that help most.

For a real intruder, a fresh password beats MAC filtering every time because a spoofed address slips right past a block list.

Common Mistakes to Avoid

  1. Leaving the default router admin password. Factory credentials are documented online, so anyone already on your network can log in. Fix: set a unique admin password under Administration or Management today.
  2. Trusting device hostnames alone. Hostnames are self-reported and can be set to anything. Fix: cross-check the MAC address against your own device’s Wi-Fi settings.
  3. Ignoring the guest network. Devices on your guest network appear in a separate list. Fix: check the Guest Network section in the admin panel separately.
  4. Blocking a device you actually own. Hubs, mesh nodes, and streaming sticks often look unfamiliar. Fix: list all your own devices before blocking anything.
  5. Running outdated WEP encryption. WEP is broken and crackable in seconds. Fix: set wireless security to WPA2-AES or WPA3 in Wi-Fi Settings.

Frequently Asked Questions

How do I find my router’s default login credentials?

Check the sticker on the bottom or back of the router for the admin username and password. If it is worn off, search your router’s model number plus “default login” — most manufacturers publish these. When I helped a neighbor, his model’s defaults were on the maker’s support page within seconds.

Will changing my Wi-Fi password disconnect everyone immediately?

Yes, instantly and for every device at once. Write the new password down first so you can reconnect right away — the time I forgot, I had to re-enter it on a TV, two phones, and a thermostat one by one.

Is MAC address filtering enough protection on its own?

No, because MAC addresses can be spoofed with free software. Use filtering as an extra layer alongside a strong WPA2/WPA3 password, not as your only defense — I treat it as a speed bump, not a wall.

Can someone see my internet traffic if they are on my Wi-Fi?

In theory yes, since shared network access makes inspection possible. Stick to HTTPS sites (the padlock confirms encryption) and consider a VPN if you suspect the network was compromised — I switched to HTTPS-only browsing the day I found an entry I could not explain.

How often should I check who is connected?

Once a month is a sensible routine, plus any time you notice slowdowns or unfamiliar devices. I pair the check with paying my internet bill so I never forget it.

My router does not show a connected devices list — what can I do?

Use your ISP’s app (xFi for Xfinity, My Fios for Verizon) or a free scanner. Tools like Wireless Network Watcher (Windows) or the Fing app list every device with hostname and MAC, and Fing is what I ran on the network where the router panel showed nothing useful.

Conclusion

Checking who is on your Wi-Fi takes two minutes and can surface freeloaders you never knew were there. Log in, scan the device list, and change your password if anything looks off — that one step handles most unauthorized access. If a website still will not load afterward, see our fix for Wi-Fi that shows connected but no internet, then lock down your network today.