Difference between revisions of "Change Password"

From MgmtWiki
Jump to: navigation, search
(Context)
 
(6 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
Whenever a security event is discovered the immediate call to a user is to [[Change Password]].
 
Whenever a security event is discovered the immediate call to a user is to [[Change Password]].
 
==Context==
 
==Context==
Users have been inundated with requests to change their password as a sort of magic elixir when the web site doesn't really know what to do. It costs the web site nothing to push the problem onto the user.
+
Users have been inundated with requests to change their password as a sort of magic elixir when the web site doesn't really know what to do. It costs the web site nothing to push the problem onto the user. If the site were subsequently compromised it could argue that it had ratified its obligation by pushing the problem to the user.
  
 
==Solutions==
 
==Solutions==
 +
===Well-known URIs===
 +
* RFC 5785 §1.1 Appropriate Use of Well-Known URIs
 +
  There are a number of possible ways that applications could use Well-
 +
  known URIs.  However, in keeping with the Architecture of the World-
 +
  Wide Web [W3C.REC-webarch-20041215], well-known URIs are not intended
 +
  for general information retrieval or establishment of large URI
 +
  namespaces on the Web.  Rather, they are designed to facilitate
 +
  discovery of information on a site when it isn't practical to use
 +
  other mechanisms; for example, when discovering policy that needs to
 +
  be evaluated before a resource is accessed, or when using multiple
 +
  round-trips is judged detrimental to performance.
 +
 
===Change to Browser===
 
===Change to Browser===
 
*[https://www.chromestatus.com/feature/6256768407568384 Chrome Platform Status] for A well-known URL for changing passwords.
 
*[https://www.chromestatus.com/feature/6256768407568384 Chrome Platform Status] for A well-known URL for changing passwords.
 
* [https://w3c.github.io/webappsec-change-password-url/ Editor' Draft] A Well-Known URL for Changing Passwords
 
* [https://w3c.github.io/webappsec-change-password-url/ Editor' Draft] A Well-Known URL for Changing Passwords
 
+
* [https://bugs.chromium.org/p/chromium/issues/detail?id=927473 chromium Issue 927473:] Implement change-password-url ./well-known/change-password-url
 +
* [https://web.dev/change-password-url/ some web dev instructions.]
 
A change password url of an origin is a URL that points to a resource that clients can use to discover where a user should go to update their password on origin.
 
A change password url of an origin is a URL that points to a resource that clients can use to discover where a user should go to update their password on origin.
  
Line 18: Line 31:
 
<pre>
 
<pre>
 
scheme
 
scheme
origin’s scheme
+
  origin’s scheme
  
 
host
 
host
origin’s host
+
  origin’s host
  
 
port
 
port
origin’s port
+
  origin’s port
  
 
path
 
path
« ".well-known", "change-password" ».
+
  « ".well-known", "change-password" ».
 
</pre>
 
</pre>
 
#Return url.
 
#Return url.
 
  
 
==References==
 
==References==

Latest revision as of 12:06, 6 October 2020

Full Title or Meme

Whenever a security event is discovered the immediate call to a user is to Change Password.

Context

Users have been inundated with requests to change their password as a sort of magic elixir when the web site doesn't really know what to do. It costs the web site nothing to push the problem onto the user. If the site were subsequently compromised it could argue that it had ratified its obligation by pushing the problem to the user.

Solutions

Well-known URIs

  • RFC 5785 §1.1 Appropriate Use of Well-Known URIs
  There are a number of possible ways that applications could use Well-
  known URIs.  However, in keeping with the Architecture of the World-
  Wide Web [W3C.REC-webarch-20041215], well-known URIs are not intended
  for general information retrieval or establishment of large URI
  namespaces on the Web.  Rather, they are designed to facilitate
  discovery of information on a site when it isn't practical to use
  other mechanisms; for example, when discovering policy that needs to
  be evaluated before a resource is accessed, or when using multiple
  round-trips is judged detrimental to performance.

Change to Browser

A change password url of an origin is a URL that points to a resource that clients can use to discover where a user should go to update their password on origin.

Given an origin, clients generate a change password url by running these steps:

  1. If origin is not a potentially trustworthy origin, return failure.
  2. Assert: origin is a tuple origin.
  3. Let url be a new URL with values set as follows:
scheme
   origin’s scheme

host
   origin’s host

port
   origin’s port

path
   « ".well-known", "change-password" ».
  1. Return url.

References