I attended BSidesSF this year for the first time in a while and saw Aalaa Kamal Satti and Yuru Shao of Pinterest speak about their efforts on password security for both Pinterest’s consumer and business users. During their talk they spoke about implementing support for the /.well-known/change-password URI that allows websites to integrate with the password managers that ship within most modern browsers.

These password managers have had features like checking for compromised credentials via HaveIBeenPwned for a while but prior to the .well-known/change-password URI they all suffered one crucial limitation. The complete absence of any standards in website building meant that even if they could notify a user about a weak password, they couldn’t direct them to the settings page that they needed to change it. The inability to create a one-click navigation for password updates meant that only the most motivated users would successfully find their way through to completing the flow. This definitely rings true of my own experience of the internet. Could you reliably find the change password page on any website you’ve used within the last 18 months with only three clicks starting from the homepage? I couldn’t.

Chrome's password manager warning of a compromised password on Facebook.com with a 'Change Password' action (source https://web.dev)
Chrome's password manager warning of a compromised password on Facebook.com with a 'Change Password' action (source https://web.dev)

How do you use it?

To add support for your own website:

  • deploy a redirect from /.well-known/change-password to your password change form.
  • add autocomplete="new-password" to the “new” and “confirmation” inputs for changing password.
  • add autocomplete="current-password" to any input where existing password confirmation is required.