What should I do if I type my password in the address bar, or type password in google search?

If you accidentally disclose your password -- either through typing it into the address bar, or in any other way -- it's best to change it.

There's no need for any complicated checklist. Simply change that password, everywhere that you used that particular password. This will protect you.

Is it absolutely necessary to change your password if you typed it into the address bar? Perhaps not -- in practice, the risk is probably modest. Then again, why take a chance? If you type it into the address bar, it may be disclosed in cleartext over the network. For instance, if you are currently connected using open Wifi, anyone within range of the network who is eavesdropping could capture your password. Also, your password could potentially be captured in various logs. So, at that point, rather than taking a gamble, the safest thing to do is to immediately change your password. If you do that, you'll probably be fine.

(Originally from here), this is a more detailed answer regarding pasting a password into the...

Address bar

In this scenario, the name resolution is your worst enemy, as it leaks the password in multiple ways. Your password will leak to multiple DNS servers and through the local network – mostly in plain text, even if you are using encrypted connection to your DNS resolver.

• DNS resolvers will not handle the query just within themselves: they will start asking it from the authoritative name servers, starting from the root servers, or from a forwarder that does it for them.
• As this is not a real working domain name, it will be also queried using
  • Multicast DNS (mDNS, RFC 6762) and
  • Link-Local Multicast Name Resolution (LLMNR, RFC 4795).
• Both mDNS and LLMNR are using IP multicasting.
  • By default, ethernet switches will flood these requests to every port, as they won't see the multicast MAC addresses beginning with 01:00:5e as a source address on any ethernet frame.
  • Some switches can limit this using IGMP snooping, but it's still possible for anyone to join these multicast groups to get these IP multicast transmissions.

In addition, the password will leak to your search provider with most modern browsers after the name resolutions fails. Some browsers may also start sending out contents in the address bar even before you have pressed the enter, as explained in an answer for "Does accidentally pasting password into browser URL field send it over the network?".

TL;DR: Change your password.

---

In this example, testp4ssw0rd is typed into the address bar of Google Chrome on Windows 10.

• The computer 192.0.2.100 has local domain (configured through DHCP) example.com and, as a common bad practice, example.local. The 192.0.2.254 is a router that also acts as a DNS resolver.

  • With example.com, the resolver, any MITM and the ns1.example.com will know the testp4ssw0rd.
  • With example.local, the the NXDOMAIN reply comes from a root server.

• The MDNS (5353/udp) query testp4ssw0rd.local to 224.0.0.251 is an IP multicast query message with MAC address 01:00:5E:00:00:FB. It asks the host having that name to identify itself.

• Likewise, LLMNR (5355/udp) query testp4ssw0rd to 244.0.0.252 is an IP multicast query message with MAC address 01:00:5E:00:00:FC.
• As there wasn't devices with these names, you won't see mDNS/LLMNR responses.