If I open an incognito window in Google Chrome and go to a webpage where Chrome has a saved username and password from (for example the login form on http://gmail.com), I see that my username and password are automatically filled in.
Does that mean that I am not really incognito? Can the website see my username even if I don't explicitly log in?
Or is there some mechanism behind the scenes that prevents the webpage from grabbing auto-filled values unless I actually log in?
Clarification:
Stored usernames (and passwords) are a lot like cookies: your unique identifier linked to a certain site, stored locally in your browser, available to the site when you open it.
When you go incognito you ask your browser not to identify you to the sites you visit. It does that by (among other things) not exposing its cookies. Exposing the stored username in this mode does not make sense to me (but maybe I'm missing something…).
Update (2014-09-25): it seems recent Chrome versions don't do this anymore.
Best Answer
Incognito means Chrome destroys all cookies created & doesn't record any websites that you visited. The passwords are filled in from Chrome's password manager, not from the site.
Incognito is also a client-side, browser-specific implementation - it doesn't mean no body will be able to track you.
Read Chrome's incognito message:
No, you've misunderstood here. Incognito mode works by destroying the cookies after the session is complete( which is signaled by you closing the incognito window). Incognito does not mean do not identify myself, it means do not keep a track of my activities when I'm on an incognito session.
The thing you are missing is how incognito works - the browser does not present any cookies - that does not mean the browser does not know which website you're visiting - the username/password is fetched by the browser by matching which site you're on - not via cookies.