Handling the Change Password url

Handling passwords as a hosted application is still a common practice. Did you know there is a industry standard to handle it ?

Most web applications require user identification for login. There are normally two possible strategies (build vs buy):

  1. Build your own

  2. Use a 3rd Party identity service, like Google or Okta

In either of the cases, there is the need to "change password".

The browser and stand-alone password managers have a standard URL to use to enable their users to change passwords, especially when the security analysis shows that there may have been a leak, either from their site or where the "same" password has been reused.

The best practice is to redirect the /.well-known/change-password URL to the page where the password can be changed by the user.

Also, the field that asks for the current password should have the autocomplete="current-password" property in it, to enable the password managers to behave correctly.

Google has a great page to call out these, and more practices:


If you are interested in the standards page to see this, and more in the .well-known world, check out these :

.well-known change-password specification


All .well-known registered URLs: