Security Tip: A Well-Known URL for Changing Passwords

[Tip#73] You may have heard of the `/.well-known/` path, and the security.txt file, but there is a new one called `change-password` you should be aware of too!

Security Tip: A Well-Known URL for Changing Passwords

Password managers are awesome1, and they make dealing with secure passwords across hundreds of different accounts easy. They integrate with your browser, generate new passwords on registration forms, detect when you change passwords, and can even tell you when you’re using passwords that need to be changed.

For example, here’s my 1Password Watchtower report:

My 1Password Watchtower, showing 3 compromised websites and 14 vulnerable passwords.

1Password will tell me when I have passwords that need changing, but in order for it to prompt me to change each password, it needs a bit of help. That’s where the “Well-Known URL for Changing Passwords” comes in!

The proposal is very simple, just create the /.well-known/change-password resource on your app and redirect it to your actual password change URL.

Password managers will check the /.well-known/change-password, and if it returns a 2xx or 3xx, the password manager will send the user there to change their password. The browser will then handle the redirect, as per normal.

For example: 

redirects to


redirects to

Are there any security concerns by using this?

There shouldn’t be.

Changing passwords is a expected feature, so broadcasting it’s existence isn’t an issue. Likewise, if the user logged in, they should be redirected to the login form when they are bounced to the change password form.

Looking to learn more?
Security Tip #54: Hijacking Domains, the Easy Way?
▶️ In Depth #18: "Th1nk Lik3 a H4cker" Walkthrough (part 1)

  1. If you don’t already use one, then I recommend checking out 1Password.