A new relatively new spec has been released (GitHub - w3c/webappsec-change-password-url: A Well-Known URL for Changing Passwords) that essentially suggests a common url on a website that redirects to their change password page. The implementation on the password manager side is launching said url from the program.
E.g.
example.com → edit → change password → click [change password on site] to open example.com/.well-known/change-password
There are still a few unknowns in how the UI would actually function here:
- does the app check ahead of time if the url exists for a given site
- should the app pre-fill the “old password”, “new password”, “repeat password” inputs
- should the user change the password in the app before opening the
.well-known/change-passwordurl
None of these are really up to me though. This workflow is a suggestion to help everyone understand how the spec would function in the real world.
It may also make sense to wait and see if this spec gains ground of falls off. For now though, I just want to raise awareness. It seems like a simple and useful idea.
