> example.com provides a /.well-known/change-password resource which redirects to their change password form, wherever it happens to already be.
> Password managers check for the existence of /.well-known/change-password on https://example.com.
> If it's there (the response code is 2xx or 3xx), the password manager can cause the user's browser to navigate there when the user indicates they'd like to change their password.
It's not trying to enforce a particular password schema, it's not an API endpoint to automate changing passwords, and it is not trying to dictate site design or form layout.
It's also dirt simple to implement with practically zero cost.
Aside from Safari, it doesn't seem like any password managers have implemented this yet.
It's also not in the IANA well-known URI registry  yet (even as draft), so that would probably at least allow it to get a bit more traction. Apparently they are working towards that .
In fact, someone could write a browser plugin to put a screen between the user and the website that states "This website fails to implement .well-known link. Are you sure you want to continue?" like Chrome does for sites that have borked DNS. If a reasonably large number of people used that you'd see lots of sites implement this idea without needing regulations. I'd use that.
You could have that plugin have a database of sites and also provide easy links for those sites that try to hide those functions.
Isn't this mandated to be present and accessible by the GDPR anyway?
Ultimately, not having a clear and easy policy for cancelling the service and deleting the account only happens when the company is malicious, and attempts to exploit the user. Having this visible plain as day is something I'd love.
We are a non profit, and don't run from user donations.
It's a pretty cool spec and we use it in my day job (Okta) but it's not widely implemented. If a few major providers - like Google, Microsoft, Github, Wordpress, etc - implemented it, I think it'd explode.
And regarding more legislation, no thanks.