Most web applications require user identification for login. There are normally two possible strategies (build vs buy):
<ol>
<li>Build your own
</li>
<li>Use a 3rd Party identity service, like Google or Okta
</li>
</ol>
In either of the cases, there is the need to "change password".
The browser and stand-alone password managers have a standard URL to use to enable their users to change passwords, especially when the security analysis shows that there may have been a leak, either from their site or where the "same" password has been reused.
The best practice is to redirect the <code>/.well-known/change-password</code> URL to the page where the password can be changed by the user.
Also, the field that asks for the current password should have the <code>autocomplete="current-password"</code> property in it, to enable the password managers to behave correctly.
Google has a great page to call out these, and more practices:
<a target="_blank" href="https://web.dev/change-password-url/">https://web.dev/change-password-url/</a>
If you are interested in the standards page to see this, and more in the <code>.well-known</code> world, check out these :
<code>.well-known</code> change-password specification
<a target="_blank" href="https://w3c.github.io/webappsec-change-password-url/">https://w3c.github.io/webappsec-change-password-url/</a>
All <code>.well-known</code> registered URLs:
<a target="_blank" href="https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml">https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml</a>

Most web applications require user identification for login. There are normally two possible strategies (build vs buy):

1. Build your own
    
2. Use a 3rd Party identity service, like Google or Okta
    

In either of the cases, there is the need to "change password".

The browser and stand-alone password managers have a standard URL to use to enable their users to change passwords, especially when the security analysis shows that there may have been a leak, either from their site or where the "same" password has been reused.

The best practice is to redirect the `/.well-known/change-password` URL to the page where the password can be changed by the user.

Also, the field that asks for the current password should have the `autocomplete="current-password"` property in it, to enable the password managers to behave correctly.

Google has a great page to call out these, and more practices:

[https://web.dev/change-password-url/](https://web.dev/change-password-url/)

If you are interested in the standards page to see this, and more in the `.well-known` world, check out these :

`.well-known` change-password specification

[https://w3c.github.io/webappsec-change-password-url/](https://w3c.github.io/webappsec-change-password-url/)

All `.well-known` registered URLs:

[https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml](https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml)

Handling passwords as a hosted application is still a common practice. Did you know there is a industry standard to handle it ?

Handling the Change Password url

About the author, Navneet Karnani:

Passionate about the basics, learning and teaching
Available for Consulting and Mentoring assignments



A developer's blog about Javascript, Java, Docker, VSCode, and other tech opinions