Redirect a request to /.well-known/change-password
to Url de cambio de contraseña
Establecer una redirect since /.well-known/change-password
a la página de cambio de contraseña de su sitio Web. Esto permitirá a los administradores de contraseñas navegar a sus usuarios directamente a esa página.
Introduction
How could you know passwords are not the best way to manage accounts. Fortunately, there are emerging technologies such as
WebAuthn and techniques such as one-time passwords that help us approach a world without passwords. However, these technologies are still being developed and things will not change quickly. Many developers will still need to deal with passwords for at least the next few years. While we wait for emerging technologies and techniques to become commonplace, we can at least make passwords easier to use.
A good way to do this is to better support password managers.
How Password Managers Help
Los administradores de contraseñas pueden integrarse en los browsers o proporcionarse como aplicaciones de terceros. Pueden ayudar a los usuarios de varias formas:
Autocomplete password for correct input field: Algunos navegadores pueden encontrar la entrada correcta de forma heurística incluso si el sitio web no está optimizado para este propósito. Los desarrolladores web pueden ayudar a los administradores de contraseñas anotando correctamente las etiquetas de entrada HTML.
Prevenir el phishing: Because password managers remember where the password was recorded, the password can be autofilled only at the appropriate URLs and not on phishing websites.
Generate strong and unique passwords: Because the password manager directly generates and stores strong and unique passwords, users do not have to remember a single character of the password.
La generación y el autocompletado de contraseñas con un administrador de contraseñas ya han funcionado bien en la web, pero considerando su ciclo de vida, actualizar las contraseñas siempre que be necesario es tan importante como generar y autocompletar. Para aprovechar eso adecuadamente, los administradores de contraseñas están agregando una nueva función:
Detect vulnerable passwords and suggest updating themPassword managers can detect passwords that are reused, analyze passwords for entropy and weakness, and even detect potentially leaked passwords or those that are known to be unsafe from sources such as They have cheated me?.
Un administrador de contraseñas puede advertir a los usuarios sobre contraseñas problemáticas, pero hay mucha fricción al pedir a los usuarios que naveguen desde la página de inicio a una página de cambio de contraseña, además de pasar por el proceso real de cambio de contraseña (que varía de un sitio a otro). . Sería mucho más fácil si los administradores de contraseñas pudieran llevar al Username directamente a la URL de cambio de contraseña. Aquí es donde a well-known URL to change passwords it becomes useful.
By reserving a known URL path that redirects the user to the password change page, the website can easily redirect users to the right place to change their passwords.
Configure "a known URL to change passwords"
.well-known / change-password
it is proposed as a well-known URL to change passwords. Todo lo que tiene que hacer es configurar su server para redirigir las solicitudes de .well-known / change-password
to your website's password change URL.
For example, let's say your website is https://example.com
and the password change url is https://example.com/settings/password
. You will only need to configure your server to redirect a request for
https://example.com/.well-known/change-password
to
https://example.com/settings/password
. That's it. For redirection, use HTTP status code
302 Found
, 303 See Other
or 307 Temporary Redirect
.
Alternatively, you can serve HTML in your .well-known / change-password
URL with a label using a
http-equiv = "refresh"
.
<meta http-equiv="refresh" content="0;url=https://example.com/settings/password">
Re-visit the password change page HTML
The target de esta función es ayudar a que el ciclo de vida de la contraseña del usuario sea más fluido. Puede hacer dos cosas para que el usuario pueda actualizar su contraseña sin problemas:
- If your password change form requires the current password, add
autocomplete = "current-password"
to thelabel to help the password manager to fill it in automatically.
- For the new password field (in many cases it is two fields to ensure that the user entered the new password correctly), add
autocomplete = "new-password"
to thelabel to help the password manager suggest a generated password.
Learn more at Best Practices for the Login Form.
How to use it in the real world
Examples
Thanks to Apple Safari
implementation,
/.well-known/change-password
, is already available on some major websites for a while:
Try them for yourself and do the same for yours.
Compatibilidad del browser
A well-known URL has been created to change passwords. supported in Safari since 2019. Chrome's password manager is starting to support it as of version 86 (which is scheduled for a stable release in late October 2020) and other Chromium-based browsers may follow. Firefox finds it worth implementing, but has not indicated that it plans to do so from August 2020.
Chrome password manager behavior
Let's take a look at how Chrome's password manager handles vulnerable passwords.
Chrome's password manager can search for leaked passwords. Navigating to chrome://settings/passwords
users can run Check passwords against stored passwords and view a list of passwords that are recommended to update.
By clicking on the Change password together with a password that is recommended to update, the browser:
- Open the website password change page if
/.well-known/change-password
is configured correctly. - Open the website home page if
/.well-known/change-password
no está configurado y Google no conoce la alternativa.
Password managers try to determine if a website supports a known URL for changing passwords by sending a request to /.well-known/change-password
before forwarding a user to this URL. If the request returns 404 Not Found
the url is obviously not available, but a 200 OK
The answer does not necessarily mean that the URL is available, because there are some extreme cases:
- Un sitio web de representación del lado del servidor muestra «No encontrado» cuando no hay contents pero con
200 OK
. - A server-side rendering website responds with
200 OK
when there is no content after redirecting to "Not Found" page. - A single page application responds with the shell with
200 OK
y muestra la página «No encontrado» en el lado del client cuando no hay contenido.
For these extreme cases, users will be redirected to a "Not Found" page and that will be a source of confusion.
Because of that there are a proposed standard mechanism
to determine if the server is configured to respond with 404 Not Found
when there really is no content, requesting a random page. In fact, the URL is also reserved:
/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200
. Chrome, for example, uses this URL path to determine if it can expect a proper password change URL from /.well-known/change-password
in advance.
When you are deploying /.well-known/change-password
, make sure your server returns 404 Not Found
for any non-existent content.
Feedback
If you have any comments on the specification, please submit a problem to the spec repository.
Means
Photo by Matthew brodeur in Unsplash