Not defending google but I don't believe that Google is sending the passwords anywhere

This is how 1password does it for their watchtower feature (basiclaly same feature as your google example)

https://support.1password.com/watchtower-privacy/

The way it works is that instead of sending your password to their server to check (which they do not do that). They download known a list of leaked password to local to check.

I think that you are too naively wrong on this.

The wording of Google is very very ambiguous there avoid to say that they are sending it but says that they are encrypting your credentials so that Google can't know it.

I have found the following page that gives more details:

https://community.spiceworks.com/t/is-google-chromes-passwor...

So if what it says is true, they don't exactly send your password, but still quite a lot of data about your credentials, in addition with the fact that you are trying to connect to a website based on the fact that you are doing the request at this exact moment.

Again, in theory I don't have a problem with them providing that kind of service. Just not to suddenly enable it for users in secret, hide very well the way to disable that, and especially when you asked Google to not manage your passwords.

A good question to ask is why the option to disable that is not located near the parameters for password and password management in the browser?

This isn't "weakly related". It's you trying to hijack a topic to discuss your totally unrelated topic. The result is that a substantial proportion of the discussion is now about whether your tangent has any merit or not.

It's not true, here on Android you just want to use a web browser, the one that is deeply linked in your phone, and they profit of their spot to insert dependencies to their service. Stealthily. Looks probably meaningless but just the fact that you don't have an obvious option to disable that in password management of the parameters should tell you something about it.

Also that even if you don't want your browser to sync with Google, to use Google search, your Chrome to use your Google account, there are still connections and data about you sent to Google...

I'm under the impression chrome still uses k-anonymity to check leaked passwords and never sees your password (or the hash of it). Here's a discussion (2019): https://news.ycombinator.com/item?id=21758388

  What Google does see is a hash-prefix of your username, to narrow down the encrypted data set of compromised credentials being returned to your Chrome instance.

We don't have the same background, but I don't think that it is ok at all.

Sending even a few bytes of hash about your username is quite a lot of data.

That might be enough to weaken your credentials, but mostly think about what they can do or 3 letters agencies can do with this info that is streaming straight to US:

Even without certitude of the exact account, we can know that you connected to a website with a credential that matched a defined hash. We can know that you connected regularly with it, probably time when you connected as the check is performed most of the time when you are connected, we can corroborate that with other access logs. We know that you were not using other usernames that you provided that are not marching this one based on hash.

As an example, US is asking users to list all their social accounts, I think that it is optional but they would like very much to make it mandatory. Then, imagine that they compare all the username you provided with the hash of passwords you checked regularly on your device to say: you probably have other or alternative accounts that you don't declare.

All of that in a stealth surprising way for users that asked nothing. It's a lie to say that it is protecting "your browsing experience". It is unrelated. You can not browse to a website and tour account is still hacked. Website owners are free to report to users leaks. Users are free to use password manager with such features.

I seem to recall they do this the way other similar things do, which does not involve sending your passwords anywhere.

When they do is hash your password, then take something like the first 20 bits and send that to a site that keeps a list of hashes of known leaked passwords. That site returns all the hashes that start with that 20 bits. Chrome than checks that list to see ifthe full hash of your password is on it.

Are they sending the passwords or are they hashing and sending the hashes? I know 1Password's watchtower uses hashes to detect leaked passwords.

Almost certainly they're sending hashes. However, if they don't have a way to disable this, that's a serious problem, hashes or not.

Both Microsoft and Apple do password checks in a privacy preserving manner, where they do not have cloud access to it.

I’d assume Google do the same. Do you have any evidence they have access to your data?

They're probably sending a hash of the password, not the password itself, but, no opt-out isn't great.

Sending a hash seems pointless because I assume sites would salt/pepper the password before hashing so the hashes are different. Or maybe I'm naive about sites following best practices

Google isn't comparing your password to a password inside some other site's server! It's comparing to leaked passwords.

If sites leaked passwords were hashes of salt/peppered passwords then it wouldn't match

I've converted back to Firefox now. It's not perfect but it's a decent alternative.