Hacker News new | past | comments | ask | show | jobs | submit login

This is a nice simple convenience feature, for sure [1]:

> example.com provides a /.well-known/change-password resource which redirects to their change password form, wherever it happens to already be.

> Password managers check for the existence of /.well-known/change-password on https://example.com.

> If it's there (the response code is 2xx or 3xx), the password manager can cause the user's browser to navigate there when the user indicates they'd like to change their password.

It's not trying to enforce a particular password schema, it's not an API endpoint to automate changing passwords, and it is not trying to dictate site design or form layout.

It's also dirt simple to implement with practically zero cost.

Aside from Safari, it doesn't seem like any password managers have implemented this yet. It's also not in the IANA well-known URI registry [2] yet (even as draft), so that would probably at least allow it to get a bit more traction. Apparently they are working towards that [3].

[1] https://github.com/WICG/change-password-url/blob/gh-pages/ex...

[2] https://www.iana.org/assignments/well-known-uris/well-known-...

[3] https://twitter.com/rmondello/status/1042008520105779206

How about something like:

This would also be nice as we wouldn't need things like https://justdelete.me

I can't imagine those taking off without legislation. Making it easier to change passwords is more or less in the interest of the companies who make web sites; making it easier to delete accounts or export all of your data, by comparison, is not.

Until users decide that the businesses interests of the companies that run the websites they use are less important than their own interests these features will never catch on. How about we stop using websites that fail to implement things that are good for us?

In fact, someone could write a browser plugin to put a screen between the user and the website that states "This website fails to implement .well-known link. Are you sure you want to continue?" like Chrome does for sites that have borked DNS. If a reasonably large number of people used that you'd see lots of sites implement this idea without needing regulations. I'd use that.

But then how would users get to Facebook? /s

You could have that plugin have a database of sites and also provide easy links for those sites that try to hide those functions.

Well, yes. I was solely looking from a user's perspective.

> making it easier to delete accounts or export all of your data, by comparison, is not.

Isn't this mandated to be present and accessible by the GDPR anyway?

Yes but present and accessible is a low bar. For most companies you have to email support to make this happen.

I can't imagine it either, but I wish we could try to establish things like these as having signalling value. Adding a redirect there is as trivial as it could possibly be, so if this could get established as "best practice", then there would be no excuse for companies not to support it.

Ultimately, not having a clear and easy policy for cancelling the service and deleting the account only happens when the company is malicious, and attempts to exploit the user. Having this visible plain as day is something I'd love.

My employer would have no problem with it.

We are a non profit, and don't run from user donations.

That's starting to cross over into SCIM - http://www.simplecloud.info/

It's a pretty cool spec and we use it in my day job (Okta) but it's not widely implemented. If a few major providers - like Google, Microsoft, Github, Wordpress, etc - implemented it, I think it'd explode.

Seems unlikely the Google, Microsoft, Facebook and their related entities would implement this though?

Yeah, no way these things will take off without legislation.

And regarding more legislation, no thanks.

Here's an open source version of the common password rotation feature in most online password manager services: https://github.com/ddevault/pass-rotate

The one nice thing about specifying a password change API would be that password managers could change passwords automatically, but I can definitely see the elegance in not attaching it to this specific spec (it could be achieved with a meta tag or similar).

off topic but I'm dying to know: why is the "American Society of Heating, Refrigeration, and Air-conditioning Engineers (ASHRAE)" in the "People" section of that IANA well-known URI list?

It's apparently because of an HTTP-based home automation protocol:



Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact