Change Password
From MgmtWiki
Contents
Full Title or Meme
Whenever a security event is discovered the immediate call to a user is to Change Password.
Context
Users have been inundated with requests to change their password as a sort of magic elixir when the web site doesn't really know what to do. It costs the web site nothing to push the problem onto the user. If the site were subsequently compromised it could argue that it had ratified its obligation by pushing the problem to the user.
Solutions
Well-known URIs
- RFC 5785 §1.1 Appropriate Use of Well-Known URIs
There are a number of possible ways that applications could use Well- known URIs. However, in keeping with the Architecture of the World- Wide Web [W3C.REC-webarch-20041215], well-known URIs are not intended for general information retrieval or establishment of large URI namespaces on the Web. Rather, they are designed to facilitate discovery of information on a site when it isn't practical to use other mechanisms; for example, when discovering policy that needs to be evaluated before a resource is accessed, or when using multiple round-trips is judged detrimental to performance.
Change to Browser
- Chrome Platform Status for A well-known URL for changing passwords.
- Editor' Draft A Well-Known URL for Changing Passwords
- chromium Issue 927473: Implement change-password-url ./well-known/change-password-url
- some web dev instructions.
A change password url of an origin is a URL that points to a resource that clients can use to discover where a user should go to update their password on origin.
Given an origin, clients generate a change password url by running these steps:
- If origin is not a potentially trustworthy origin, return failure.
- Assert: origin is a tuple origin.
- Let url be a new URL with values set as follows:
scheme origin’s scheme host origin’s host port origin’s port path « ".well-known", "change-password" ».
- Return url.
