4 min read

Does Your Business Have a Well-Known URL for Changing Passwords? It Should!

Graham Cluley

September 22, 2020

Does Your Business Have a Well-Known URL for Changing Passwords? It Should!
  • Your customers can be helped to change their weak passwords
  • All your company needs to do is make one change to its website
  • Supports new feature coming to Google Chrome next month

We all know users can be careless with their password security.

They choose passwords that are weak and easy to crack, passwords that easily guessed, or simply reuse the same password time and time again.

A good password manager can warn a user that they're making mistakes like this, and encourage that vulnerable passwords be changed to stronger alternatives.

Unfortunately, that's still something of a nuisance to even security-conscious users, as they may find it time-consuming or simply too much effort to visit different websites, and work out where and how they can change their login credentials.

But one simple initiative hopes to make that process much more straightforward - but it depends on online businesses and websites supporting it.

 Here's an example of a website that has implemented the feature:

 If you're logged into Twitter on your PC, and visit https://twitter.com/.well-known/change-password you will find your browser automatically redirected to Twitter's change password screen.


The same thing happens on Apple (apple.com/.well-known/change-password), Spotify (spotify.com/.well-known/change-password), WordPress (wordpress.com/.well-known/change-password) and an increasing number of other sites.

This wasn't hard for these websites to do. All they had do was create a file called "change-password" and put it in a subdirectory called ".well-known" off their website's root.

The file could either contain instructions on how a user could update their password or - arguably even better - automatically redirect to the actual change password webpage.

(By the way, the .well-known folder can also be used for other purposes, such as the creation of a security.txt file which can contain instructions on how a website can be contacted if a security issue is discovered.)

The beauty of this /.well-known/change-password approach is that any software that detects you may need to change your password for a particular website can now easily direct you to precisely where you need to be to update that password.

The feature has been used by the likes of Safari and iCloud Keychain since 2019, and it should also be added to the shipping version of the Google Chrome browser next month. Support in other browsers will surely follow afterwards, making it that much easier for more users to change compromised passwords.

So what are you waiting for? If you're a business which has a website that customers access via a password, spend a few minutes create your own .well-known/change-password which points users to the correct place.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like