Most web applications require user identification for login. There are normally two possible strategies (build vs buy):
Build your own
Use a 3rd Party identity service, like Google or Okta
In either of the cases, there is the need to "change password".
The browser and stand-alone password managers have a standard URL to use to enable their users to change passwords, especially when the security analysis shows that there may have been a leak, either from their site or where the "same" password has been reused.
The best practice is to redirect the /.well-known/change-password URL to the page where the password can be changed by the user.
Also, the field that asks for the current password should have the autocomplete="current-password" property in it, to enable the password managers to behave correctly.
Google has a great page to call out these, and more practices:
https://web.dev/change-password-url/
If you are interested in the standards page to see this, and more in the .well-known world, check out these :
.well-known change-password specification
https://w3c.github.io/webappsec-change-password-url/
All .well-known registered URLs:
https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
Top comments (0)