Helping users change passwords with well-known URLs

Hello!

We share a small but useful translation articles how to simplify the process of updating data for authentication.

Set a redirect from the page /.well-known/change-password to the page for changing the password for your site. This will allow password managers to direct users directly to this page.

Introduction

Passwords – not the best way to manage accounts… Yes, new technologies are emerging that bring the world of the future closer, for example, WebAuthn and one-time passwords. However, these methods are still developing, and developers will have to work with passwords, at least for the next few years, for sure. Until new technologies become commonplace for us, we can at least try to simplify our lives.

One way is to provide better support for password managers.

How password managers can help us out

Password managers can be built into browsers or used as third-party applications. What is the use of them?

Autocomplete to correctly enter the password in the appropriate field… Some browsers find the required field on their own, even if the site is not optimized for this purpose. That being said, web developers facilitate the work of password managers, correctly annotating input HTML tags

Preventing phishing attacks… Password managers remember where the password was entered, so it can only be entered automatically for matching URLs, not on phishing sites.

Create strong and unique passwords… Such passwords are generated and stored by a password manager. Users do not need to memorize them.

Generating and auto-filling passwords using a password manager is a popular choice on the Internet, but you need to consider their life cycle: updating passwords is just as important as generating and auto-filling them. To do this, password managers add a new feature:

They identify vulnerable passwords and offer to replace them… Password managers can detect passwords that are reused, they are able to analyze their entropy and weakness, and they can identify potentially vulnerable passwords or those that are deemed insecure in sources such as Have i been pwned

A password manager can warn the user about problem passwords, but there are a lot of complications here: you need to prompt the user to go from the home page to the password change page, in addition to the password change process itself, which can vary from site to site. Of course, it would be much easier if password managers could redirect the user directly to the change password page. Here provides well-known password change URLs that can come in handy in this situation.

By reserving a well-known URL path that redirects to the change password page, the site can easily take users to the right place to change their passwords.

Customize well-known URL to change passwords

Path in address .well-known / change-password proposed as well-known URL for changing passwords… All you have to do is configure the server to redirect requests to .well-known / change-password to your site’s password change URL.

For example, suppose your website is example.comand the URL for changing the password is example.com/settings/password… You need to configure the server to redirect the request with example.com/.well-known/change-password on example.com/settings/password… And that’s it! To redirect use HTTP status code 302 Found, 303 See Other or 307 Temporary Redirect

Another option: you can serve HTML at your URL .well-known / change-passwordusing the tag from http-equiv = “refresh”

<meta http-equiv="refresh" content="0;url=https://example.com/settings/password">

Check the HTML of the password change page

The goal of this phase is to make the password life cycle more flexible. We can do 2 steps for the user to update the password without any problems:

  • If your password change form requires the current password, add autocomplete = “current-password” in tag so that the password manager can fill it in automatically.
  • For the new password field (in many cases even two fields so that the user will accurately enter the new password correctly) add autocomplete = “new-password” in tag to help the password manager suggest the generated password.

You can learn more about the recommendations when using the login form on the site by this link

How everything described is used in reality

Examples of

Thanks to Apple Safari support, /.well-known/change-password became available on some major sites:

Try filling out the registration form there and do the same for your site!

Browser Compatibility

Well-known URL to change passwords supported in Safari since 2019… Chrome Password Manager has supported it since version 86 (a stable release is scheduled for late October 2020). Other Chromium-based browsers might follow suit as well. Firefox believes a password manager should be implemented, but there is no information yet when exactly.

Chrome password manager behavior

Let’s take a look at how the Chrome password manager handles vulnerable passwords.

Chrome Password Manager is able to check for leaked passwords. When you go to the page chrome: // settings / passwords, users can check whether the passwords match the saved ones and view a list of those that are recommended to be updated.

When selecting a block “Change Password”, next to the password that is recommended to be updated, the browser will display:

  • Open the site password change page if /.well-known/change-password configured correctly.
  • Open the site home page if /.well-known/change-password not configured and Google does not know the fallback.

Feedback

If you have any feedback or suggestion, please post a bug at author repositories

Useful Resources

Photo taken Matthew brodeur and posted on the website Unsplash

Similar Posts

Leave a Reply