> simply allow oauth where my pass manager becomes my token provider
to be a simpler implementation then "PUT https://blabla.com/change-password" or whatever a password change request would look like?
The other poster is correct that immediately people would jump to using OAuth as one solution to manage which password manager apps can access that change password flow somewhat securely. At which, yes, why not just invert the OAuth flow and find better ways to make the Password Manager the provider rather than https://example.com and maybe eliminate the password entirely from the equation while we are at it.
Replay what? Me setting my password over HTTPS? How?
The sample URL was deliberately just an example. It would surely need more thought but i'm pretty sure the "PUT ..." solution is simpler then throwing oAuth at the problem.
So you're confident that the same people who can't secure the simple PUT request are better suited to implement the custom oAuth solution you are talking about? And that will be secure? I'd bet against that.
You need CSRF tokens to avoid replay attacks. You need some way for an app to Authorize: that they have permission to update someone's password. That's probably some sort of application whitelist. That application whitelist probably needs a permissions flow for a user to agree that Password Manager Brand X is indeed their password manager application of choice. Do we have a standard for such permission flows and app-specific bearer tokens? Oh look, it's OAuth that says "hi".
- You don't need "persmissin flows"
- You don't need "to update *someone's password" (just your own!)
- You don't need an "application whitelist" because HTTP doesn't know what an application is
Good password change forms have had CSRF tokens for decades now: https://en.wiktionary.org/wiki/CSRF_token
There are many known attacks whereby an attacker changes someone's password to control an account.
I don't care about OAuth at all. It's not an "OAuth mindset", it's a "I wouldn't trust a website at all in 2018 if it had an unsecure PUT endpoint to change my password" mindset.
HTTPS alone is not sufficiently secure. It's a start, but it is nowhere near enough on its own. SSL MITM attacks and Phishing are still problems today.
Requiring my current password isn't necessarily sufficient either: password cracking botnets exist. If the first sign that your password was cracked is that your password was changed to something only your attacker knows, that's not great. This is also where replay attacks come in. An attacker MITM or phishes this endpoint, and social engineers you into thinking you need to change your password, they get your old and new password together in one nice bundle.
Cookies aren't a sufficient answer for similar reasons. Again, take a look at cross-site request forgery issues and the history of replay attacks on password forms.
Application whitelists are a minimal security precaution to mitigate some botnets and phishing algorithms. HTTP does know what an application is, we often see application blacklisting done the hard way with User Agent strings and IP address ranges. Whitelisting is a more secure approach, but a lot harder to do securely (and why we have standards like OAuth; OAuth isn't the only answer, it's just the current easiest answer).
But that's my point. Keep it simple, let my password manager (be it on my mobile, laptop or whereever i want) change my password! Yes, i'd like that.
You don't even need that CSRF token, i don't know why.
To prove your identity you'll only need to prove that you know you your password. That's possible, securely.
See https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco... and https://en.wikipedia.org/wiki/Zero-knowledge_password_proof
Why do you need an application whitelist?! The website i am visiting isn't whitelisting my browser, so why would it need to whitelist my password manager?
Can you point me to some source for botnets which crack passwords? I would be surprised. It's not feasible to brute-force a password over HTTP.
That's just one account I see as currently most at risk. There are plenty of others I'm concerned about as well.
Passwords are fragile, brittle things. "Simple" security is no longer an answer when dealing with passwords. FULL STOP. It's time we moved past passwords altogether, but even where we can't, we absolutely have to be serious about password security from top to bottom.
You can victim blame "hacked websites" for "badly implemented security" all you want, but that's part of the point, too. Password infrastructure will always be lowest common denominator, because it is "easy", because it is "simple". Everyone thinks they can implement password security, and everyone is wrong. There are still people that don't hash, much less salt, their passwords in 2018. There are still people that don't realize "Security Questions" are Plaintext Passwords and a giant security risk. In the age of bitcoin mining there is no such thing as a hashed or salted password that cannot be brute forced. Bitcoin mining is password brute force at massive scale, and dropped rainbow table hardware to the price floor.
I'm sorry that you still have any illusions left that passwords are and/or can be "simple". Passwords are dead and yet we're all going to be fighting that forest fire for decades to come.
 Which admittedly, is a possibility, but it would be a surprising shock for an application as big as Steam.
This scares me. Are you proposing it as something that is necessary, or something that is necessary as part of the parent poster's suggestion to use HTTPS + PUT? If the former, how does this scale across the multiple platforms I use? Ugh. Scary.
You are right, it doesn't scale well.
To me (and one of the posters above) it's just more proof that password infrastructure in general doesn't scale very well (because security attack surface scales proportionally), and that we really need a better solution. "Simple password change HTTP PUT REST API standard" is a security nightmare, and we should all be afraid of the mere idea of it. We should instead be looking to get rid of passwords altogether, for something that maybe does scale better. Such as the suggestion above that it would be better to try to sketch an API that asks our password/token managers to log us in, rather than the other way around, like an SSH Agent or an OAuth/OpenID provider or some better standard we could attempt to devise.
Unfortunately its not a well-known api endpoint.