DEV Community

Navneet Karnani
Navneet Karnani

Posted on • Originally published at blog.mandraketech.in on

Handling the Change Password url

Most web applications require user identification for login. There are normally two possible strategies (build vs buy):

  1. Build your own

  2. Use a 3rd Party identity service, like Google or Okta

In either of the cases, there is the need to "change password".

The browser and stand-alone password managers have a standard URL to use to enable their users to change passwords, especially when the security analysis shows that there may have been a leak, either from their site or where the "same" password has been reused.

The best practice is to redirect the /.well-known/change-password URL to the page where the password can be changed by the user.

Also, the field that asks for the current password should have the autocomplete="current-password" property in it, to enable the password managers to behave correctly.

Google has a great page to call out these, and more practices:

https://web.dev/change-password-url/

If you are interested in the standards page to see this, and more in the .well-known world, check out these :

.well-known change-password specification

https://w3c.github.io/webappsec-change-password-url/

All .well-known registered URLs:

https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml

Top comments (0)