Security Tip: A Well-Known URL for Changing Passwords
[Tip#73] You may have heard of the `/.well-known/` path, and the security.txt file, but there is a new one called `change-password` you should be aware of too!
Password managers are awesome, and they make dealing with secure passwords across hundreds of different accounts easy. They integrate with your browser, generate new passwords on registration forms, detect when you change passwords, and can even tell you when you’re using passwords that need to be changed.
For example, here’s my 1Password Watchtower report:
1Password will tell me when I have passwords that need changing, but in order for it to prompt me to change each password, it needs a bit of help. That’s where the “Well-Known URL for Changing Passwords” comes in!
The proposal is very simple, just create the /.well-known/change-password
resource on your app and redirect it to your actual password change URL.
Password managers will check the /.well-known/change-password
, and if it returns a 2xx
or 3xx
, the password manager will send the user there to change their password. The browser will then handle the redirect, as per normal.
For example:
GitHub
https://github.com/.well-known/change-password
redirects to
https://github.com/settings/security
https://twitter.com/.well-known/change-password
redirects to
https://twitter.com/settings/password
Are there any security concerns by using this?
There shouldn’t be.
Changing passwords is a expected feature, so broadcasting it’s existence isn’t an issue. Likewise, if the user isn't logged in, they should simply be redirected to the login form and then bounced to the change password form after authenticating themselves.
The only way I can see this being an issue is if the change password had a CSRF vulnerability, but if that's the case... you've got much bigger problems.
I've been using (and paying for) 1Password for years, and it is worth it, and no they did not sponsor this.