Most web applications require user identification for login. There are normally two possible strategies (build vs buy):
Build your own
Use a 3rd Party identity service, like Google or Okta
In either of the cases, there is the need to "change password".
The browser and stand-alone password managers have a standard URL to use to enable their users to change passwords, especially when the security analysis shows that there may have been a leak, either from their site or where the "same" password has been reused.
The best practice is to redirect the
/.well-known/change-password URL to the page where the password can be changed by the user.
Also, the field that asks for the current password should have the
autocomplete="current-password" property in it, to enable the password managers to behave correctly.
Google has a great page to call out these, and more practices:
If you are interested in the standards page to see this, and more in the
.well-known world, check out these :
.well-known change-password specification
.well-known registered URLs: