Hacker News new | past | comments | ask | show | jobs | submit login

Can someone clarify, is this actually for resetting a forgotten password? I don't quite follow.

example.com's change password functionality should be behind an authenticated page that requires a) the user be already logged in, and 2) the user's current password (for confirmation).

Whereas example.com's forgot/reset password functionality is usually a wide-open page anyone can reach to begin the process of password reset (more inline with what this spec seems to be describing).

Did you read the explainer?

> Currently, if the user of a password manager would like to change their password on example.com, basically all the password manager can do is load example.com in a browser tab and hope the user can figure out how to update their password themselves.

> The goal of this spec is to do the simplest possible thing to improve this situation.

It's an attempt to standardize the endpoint for changing a password. Which is kinda random for each website currently.

> Did you read the explainer?

I did. My confusion arose from it. Something is clear to you that is not to me :)

https://news.ycombinator.com/.well-known/change-password will just redirect to https://news.ycombinator.com/changepw. If the user isn't logged in, that page asks the user to log in.

Ah I see, and from the perspective of a password manager it would know what password to fill into the password field to get the user into the site. After that, once on the change password screen said manager would also take over generating a new password, yes?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact