Google is adding support for the “Well-Known URL for Changing Passwords” standard. This will make it easy to change weak and compromised passwords using Chrome.
Update: An earlier version of this article had incorrect information about how Chrome might change password on your behalf. I have removed this section. Chrome will only redirect you to change password pages.
Table of Contents
What is “Well-Known URL for Changing Passwords”
This is a standard that websites can adopt to define “a well-known URL” for password change that tools can use.
Allow me to explain.
I use Google Chrome as my password manager. You might be using Chrome, Edge or even a password managing tool like 1Password.
If you spend a few minutes, you could find the password change page for that website and add a new password. Preferably a complex password suggested by your password manager.
Wait, but you don’t always have that time. You postpone it.
As for Chrome, it does not know the URL to change the password for all the websites out there.
Unless there is a standard and websites can advertise the URL to change passwords.
A Well-Known URL for Changing Passwords
A Well-Known URL for Changing Passwords is an initiative by the W3C Community Group to help define a “well known” URL for password change.
“This specification defines a well-known URL that sites can use to make their change password forms discoverable by tools. This simple affordance provides a way for software to help the user find the way to change their password.”
You can find more details about this project here.
Google Chrome is preparing to add support for the Well-Known password change URL. Here is the flag that I spotted today in the code:
“Support for .well-known/change-password: If enabled the ‘change password’ button in password checkup redirects to the .well-known/change-password path. The path is supposed to point to the password change form of the site. When the site doesn’t support .well-known/change-password it is checked if a fallback url is available. Otherwise the user is redirected to the orgin.”
According to paul.kinlan.me, a similar standard can be used for various other function. Here is a list of examples:
- A well-known location for GDPR-based consent models (cookie consent) – site owners could offer a link to the page where a user can manage and potentially revoke all cookies and other data consent items.
- A well-known location for browser permission management – site owners could offer a quick place for users to be able to revoke permissions to things like geo-location, notifications, and other primitives.
- A well-known path for account deletion and changes
- A well-known path for mailing list subscription management
Twitter and WordPress.com Onboard
According to Rick Mondello from Apple’s Safari team, Twitter already supports this feature.
Looking through the comments in that Twitter thread, WordPress.com also supports this feature.
The Well-Known password change has the potential to help users keep their accounts safe. I still have a few passwords on my account flagged by Chrome as compromised. Yet, I haven’t managed to change those passwords.
This feature could be a game changer for crazy-heads like me.
Let me know your thoughts in the comments section.