Change Password

From MgmtWiki
Revision as of 11:02, 6 October 2020 by Tom (talk | contribs) (Well-known URIs)

Jump to: navigation, search

Full Title or Meme

Whenever a security event is discovered the immediate call to a user is to Change Password.

Context

Users have been inundated with requests to change their password as a sort of magic elixir when the web site doesn't really know what to do. It costs the web site nothing to push the problem onto the user.

Solutions

Well-known URIs

  • RFC 5785 §1.1 Appropriate Use of Well-Known URIs
  There are a number of possible ways that applications could use Well-
  known URIs.  However, in keeping with the Architecture of the World-
  Wide Web [W3C.REC-webarch-20041215], well-known URIs are not intended
  for general information retrieval or establishment of large URI
  namespaces on the Web.  Rather, they are designed to facilitate
  discovery of information on a site when it isn't practical to use
  other mechanisms; for example, when discovering policy that needs to
  be evaluated before a resource is accessed, or when using multiple
  round-trips is judged detrimental to performance.

Change to Browser

A change password url of an origin is a URL that points to a resource that clients can use to discover where a user should go to update their password on origin.

Given an origin, clients generate a change password url by running these steps:

  1. If origin is not a potentially trustworthy origin, return failure.
  2. Assert: origin is a tuple origin.
  3. Let url be a new URL with values set as follows:
scheme
   origin’s scheme

host
   origin’s host

port
   origin’s port

path
   « ".well-known", "change-password" ».
  1. Return url.

References