Security Tip: A Well-Known URL for Changing Passwords
[Tip#73] You may have heard of the `/.well-known/` path, and the security.txt file, but there is a new one called `change-password` you should be aware of too!
Password managers are awesome1, and they make dealing with secure passwords across hundreds of different accounts easy. They integrate with your browser, generate new passwords on registration forms, detect when you change passwords, and can even tell you when you’re using passwords that need to be changed.
For example, here’s my 1Password Watchtower report:
1Password will tell me when I have passwords that need changing, but in order for it to prompt me to change each password, it needs a bit of help. That’s where the “Well-Known URL for Changing Passwords” comes in!
The proposal is very simple, just create the /.well-known/change-password resource on your app and redirect it to your actual password change URL.
Password managers will check the /.well-known/change-password, and if it returns a 2xx or 3xx, the password manager will send the user there to change their password. The browser will then handle the redirect, as per normal.
For example:
https://github.com/.well-known/change-password redirects to
https://github.com/settings/securityAnd
https://twitter.com/.well-known/change-passwordredirects to
https://twitter.com/settings/passwordAre there any security concerns by using this?
There shouldn’t be.
Changing passwords is a expected feature, so broadcasting it’s existence isn’t an issue. Likewise, if the user logged in, they should be redirected to the login form when they are bounced to the change password form.
Looking to learn more?
⏩ Security Tip #54: Hijacking Domains, the Easy Way?
▶️ In Depth #18: "Th1nk Lik3 a H4cker" Walkthrough (part 1)
