Implementing the change-password-url spec

A new relatively new spec has been released (GitHub - w3c/webappsec-change-password-url: A Well-Known URL for Changing Passwords) that essentially suggests a common url on a website that redirects to their change password page. The implementation on the password manager side is launching said url from the program.

E.g. → edit → change password → click [change password on site] to open

There are still a few unknowns in how the UI would actually function here:

  • does the app check ahead of time if the url exists for a given site
  • should the app pre-fill the “old password”, “new password”, “repeat password” inputs
  • should the user change the password in the app before opening the .well-known/change-password url

None of these are really up to me though. This workflow is a suggestion to help everyone understand how the spec would function in the real world.

It may also make sense to wait and see if this spec gains ground of falls off. For now though, I just want to raise awareness. It seems like a simple and useful idea.

for reference on its traction:

  • hackernews article
  • there are plans to submit to the well-known URI registry (discussed in the hackernews comments)
  • github stars: GitHub stars