Chrome 86 to feature improved password reset capabilities
Many modern web browsers include functionality to determine if saved passwords have been leaked in the past. Companies like Google or Mozilla maintain databases of leaked passwords and compare the hashes of these against passwords stored by users in the browser. If a match is found, the password has been leaked and is considered insecure.
A suggestion to reset the password is then displayed to the user. That process needs to be done manually as the user needs to visit the site the password was saved for and use the available password reset functionality on that site. Browsers may provide a link to the site but that is usually all the help that users get.
Apple introduced a new security feature in Safari that establishes a fixed path for password reset operations. The path uses the format /.well-known/change-password; since it is known, Apple may redirect users directly to the path if a password needs to be reset instead of the homepage of the service. The URL redirects automatically to the actual password reset page of the site.
Google plans to introduce support for the format in Chrome 86. The upcoming version of the web browser is expected to be released on October 6, 2020.
Chrome displays a change password button next to compromised passwords. A click on the button loads the password reset page if the site in question supports the "/.well-known/change-password" format, or to the site's homepage if there is no other fallback that Google knowns about.
An "Intent to Ship" post on the official Blink Dev group confirms Google's plan to ship the feature in the browser.
Websites can set a well-known change-password URL using the format, '/.well-known/change-password', to allow users to quickly navigate to a page allowing them to change their password. Chrome will leverage this URL to help users easily change their weak / compromised passwords following a bulk password check (Desktop, Android, iOS). We want to ship this to 100% in M86.
Tip: Chrome Beta and Canary uses may enable the feature right now by loading chrome://flags/#well-known-change-password in the browser's address bar and setting the experimental flag, called Support for .well-known/change-password', to Enabled, and restarting the browser afterwards.
Google published an article about the new feature on its Web Dev website already in which it informs webmasters and companies about the new format.
Major web companies, including Google, Twitter, Facebook, GitHub and WordPress, use the format already on their sites to improve the resetting of passwords.
Apple's Safari browser supports the feature since 2019. Google plans to introduce support in Chrome 86, and Mozilla considers it worth prototyping but has not decided yet whether the feature will be implemented in the Firefox web browser. Firefox users may keep track of this bug on Bugzilla to find out if the feature does get implemented in the browser.
Now You: Would you use such a feature, if your favorite browser/password manager would implement it? (via Bleeping Computer)
I like it. More security the better… Great Job Google…
Chrome 86 beta. chrome://flags/#well-known-change-password enabled.
Password and pay-sites management should be not allowed to save for security purposes. :[
Many users like the built-in functionality because it is the most comfortable option. If you mean, that these should never be saved, it would just open a can of worms.
I read some articles about privacy at Ghacks and a vaste number of comments were also along the same way, that Microsoft and Google have not much privacy and so forth. However, if we are worried about privacy terms, does is not password management a very high privacy issue itself? And also a risky behaviour if someone steals the device, a really big concern. However I agree it’s very comfortable if the device is protected with BIOS password. Thanks @Martin. :]
Disk encryption is the best option in my opinion, e.g. by using VeraCrypt to protect all the data on the device.