This specification defines a well-known URL that sites can use
to make their change password forms discoverable by tools. This simple
affordance provides a way for software to help the user find the way to
change their password.
The (archived) public mailing list public-webappsec@w3.org (see instructions)
is preferred for discussion of this specification.
When sending e-mail,
please put the text “change-password-url” in the subject,
preferably like this:
“[change-password-url] …summary of comment…”
Publication as a Working Draft does not imply endorsement by W3C and its Members. This is a draft document and may be updated, replaced or
obsoleted by other documents at any time. It is inappropriate to cite this
document as other than work in progress.
This document was produced by a group operating under
the W3C Patent Policy.
W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group;
that page also includes instructions for disclosing a patent.
An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
Client-side password management software helps improve both the security and usability of websites which require authentication. It improves security by reducing cross-site password reuse, and enhances usability by providing autofill functionality.
Sites currently lack a way to programmatically advertise where a user can change their password. By proposing a well-known URL for changing passwords, this specification enables password managers to help users change their passwords on sites which support it.
2. Infrastructure
This specification depends on the Infra Standard. [INFRA]
A change password url of an origin is a URL that points to a resource that clients can use to discover where a user should go to update their password on origin.
Given an origin, clients generate a change password url by running these steps:
The change password url for origin "https://example.com/" is "https://example.com/.well-known/change-password".
Note: The above paragraph restricts servers to using temporary redirect codes.
See Issue 13.
If necessary, servers may respond with an HTML document containing an http-equiv pragma directive in the refresh state. [HTML] Clients should handle such redirects when requesting a change password url.
This document defines the “.well-known” URI change-password.
This registration will be submitted to the IESG for review, approval, and registration with IANA using the template defined in [WELL-KNOWN] as follows:
Thanks to
Anne van Kesteren,
Cl1608Ho,
Dan Bernstein,
David Singer,
Dean Jackson,
Florian Rivoal,
John Wilander,
Maciej Stachowiak,
Mark Nottingham,
Mike West, and
Ricky Mondello
for their feedback on this proposal. All of its features are theirs and all of its bugs are mine.
Conformance
Document conventions
Conformance requirements are expressed
with a combination of descriptive assertions
and RFC 2119 terminology.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL”
in the normative parts of this document
are to be interpreted as described in RFC 2119.
However, for readability,
these words do not appear in all uppercase letters in this specification.
All of the text of this specification is normative
except sections explicitly marked as non-normative, examples, and notes. [RFC2119]
Examples in this specification are introduced with the words “for example”
or are set apart from the normative text
with class="example",
like this:
This is an example of an informative example.
Informative notes begin with the word “Note”
and are set apart from the normative text
with class="note",
like this:
Note, this is an informative note.
Conformant Algorithms
Requirements phrased in the imperative as part of algorithms
(such as "strip any leading space characters"
or "return false and abort these steps")
are to be interpreted with the meaning of the key word
("must", "should", "may", etc)
used in introducing the algorithm.
Conformance requirements phrased as algorithms or specific steps
can be implemented in any manner,
so long as the end result is equivalent.
In particular, the algorithms defined in this specification
are intended to be easy to understand
and are not intended to be performant.
Implementers are encouraged to optimize.