Helping users change passwords with well-known URLs

Hello!



We are sharing the translation of a small but useful article on how to simplify the process of updating data for authentication.

Redirect from /.well-known/change-password to the password change page for your site. This will allow password managers to direct users directly to this page.

Introduction

Passwords are not the best way to manage your accounts . Yes, new technologies are emerging that bring the world of the future closer, such as WebAuthn and one-time passwords. However, these methods are still developing, and developers will have to work with passwords, at least for the next few years, for sure. Until new technologies become commonplace for us, we can at least try to simplify our lives.



One way is to provide better support for password managers.

How password managers can help us out

Password managers can be built into browsers or used as third-party applications. What is the use of them?



Autocomplete for correct password entry in the appropriate field . Some browsers find the required field on their own, even if the site is not optimized for this purpose. In doing so, web developers facilitate the work of password managers by correctly annotating input HTML tags .



Prevention of phishing attacks . Password managers remember where the password was entered, so it can only be entered automatically for matching URLs, not on phishing sites.



Create strong and unique passwords . Such passwords are generated and stored by a password manager. Users do not need to memorize them.



Generating and auto-filling passwords using a password manager is a popular choice on the Internet, but you need to consider their life cycle: updating passwords is just as important as generating and auto-filling them. To do this, password managers add a new feature:



They identify vulnerable passwords and offer to replace them . Password managers can detect passwords that are reused, they are able to analyze their entropy and weakness, and they can identify potentially vulnerable passwords or those deemed insecure by sources such as Have I Been Pwned .



A password manager can warn the user about problem passwords, but there are many complications here: you need to prompt the user to go from the home page to the password change page, in addition to the password change process itself, which can vary from site to site. Of course, it would be much easier if password managers could redirect the user directly to the change password page. Here are some well-known password change URLs that can come in handy in a situation like this.



By reserving a well-known URL path that redirects to the change password page, the site can easily take users to the right place to change their passwords.

Set up well-known URL for changing passwords

The path in .well-known / change-password is suggested as a well-known URL for changing passwords . All you have to do is configure the server to redirect requests for .well-known / change-password to your site's password change URL.



For example, let's say your website is example.com and the password change URL is example.com/settings/password . You must configure the server to redirect the request from example.com/.well-known/change-password to example.com/settings/password . And that's it! To redirect use the HTTP status code 302 Found , 303 See Other, or307 Temporary Redirect .



Alternatively, you can serve HTML at your .well-known / change-password URL using the <meta> tag with http-equiv = "refresh" .

<meta http-equiv="refresh" content="0;url=https://example.com/settings/password">

Check the HTML of the password reset page

The goal of this phase is to make the password lifecycle more flexible. We can do 2 steps for the user to update the password without any problems:

• If your password change form requires the current password, add autocomplete = "current-password" to the <input> tag so that the password manager can automatically fill it in.
• For the new password field (in many cases even two fields to ensure that the user has entered the new password correctly) add autocomplete = "new-password" to the <input> tag to help the password manager suggest the generated password.

You can find out more about the guidelines for using the login form here .

How everything described is used in reality

Examples of

Thanks to Apple Safari support , /.well-known/change-password has become available on some of the major sites:

• Google
• Github
• Facebook
• Twitter
• WordPress

Try filling out the registration form there and do the same for your site!

Browser Compatibility

Well-known Password Changer URL has been supported in Safari since 2019 . Chrome Password Manager has supported it since version 86 (a stable release is scheduled for late October 2020). Other Chromium-based browsers might follow suit as well. Firefox thinks a password manager should be implemented, but there is no information yet when exactly.

Chrome password manager behavior

Let's see how the Chrome password manager handles vulnerable passwords.



Chrome Password Manager is able to check for leaked passwords. When going to the chrome: // settings / passwords page, users can check whether the passwords match the saved ones and view a list of those that are recommended to be updated.







When you select the "Change password" block , next to the password that is recommended to be updated, the browser will display:

• Open the site password change page if /.well-known/change-password is configured correctly.
• Open the site's home page if /.well-known/change-password is not configured and Google does not know a fallback.

Feedback

If you have any feedback or suggestions, please post a bug in the author's repository .

Useful Resources

• Well-known URL to change passwords
• Determining the reliability of HTTP status codes
• Best practices for implementing a sign-in form

Photo by Matthew Brodeur and posted on Unsplash