Does your business have a Well-Known URL for changing passwords? It should!

I’ve implemented this on my main website using a php redirect. What I’m considering doing is to force all users to move to Muti-factor authentication and link this charge-password file to instructions on how to do that. May be even better than enforcing strong passwords…:

We all know users can be careless with their password security.

They choose passwords that are weak and easy to crack, passwords that easily guessed, or simply reuse the same password time and time again.

A good password manager can warn a user that they’re making mistakes like this, and encourage that vulnerable passwords be changed to stronger alternatives.

Unfortunately, that’s still something of a nuisance to even security-conscious users, as they may find it time-consuming or simply too much effort to visit different websites, and work out where and how they can change their login credentials.

But one simple initiative hopes to make that process much more straightforward – but it depends on online businesses and websites supporting it.

Here’s an example of a website that has implemented the feature:

If you’re logged into Twitter on your PC, and visit https://twitter.com/.well-known/change-passwordyou will find your browser automatically redirected to Twitter’s change password screen.

twitter-change-password

The same thing happens on Apple (apple.com/.well-known/change-password), Spotify (spotify.com/.well-known/change-password), WordPress (wordpress.com/.well-known/change-password) and an increasing number of other sites.

This wasn’t hard for these websites to do. All they had do was create a file called “change-password” and put it in a subdirectory called “.well-known” off their website’s root.

The file could either contain instructions on how a user could update their password or – arguably even better – automatically redirect to the actual change password webpage.

[…]

Original article here