Many modern web browsers include functionality to determine if saved passwords have been leaked in the past. Companies like Google or Mozilla maintain databases of leaked passwords and compare the hashes of these against passwords stored by users in the browser. If a match is found, the password has been leaked and is considered insecure.
A suggestion to reset the password is then displayed to the user. That process needs to be done manually as the user needs to visit the site the password was saved for and use the available password reset functionality on that site. Browsers may provide a link to the site but that is usually all the help that users get.
Apple introduced a new security feature in Safari that establishes a fixed path for password reset operations. The path uses the format /.well-known/change-password; since it is known, Apple may redirect users directly to the path if a password needs to be reset instead of the homepage of the service. The URL redirects automatically to the actual password reset page of the site.
Google plans to introduce support for the format in Chrome 86. The upcoming version of the web browser is expected to be released on October 6, 2020.
Chrome displays a change password button next to compromised passwords. A click on the button loads the password reset page if the site in question supports the "/.well-known/change-password" format, or to the site's homepage if there is no other fallback that Google knowns about.
An "Intent to Ship" post on the official Blink Dev group confirms Google's plan to ship the feature in the browser.
Websites can set a well-known change-password URL using the format, '/.well-known/change-password', to allow users to quickly navigate to a page allowing them to change their password. Chrome will leverage this URL to help users easily change their weak / compromised passwords following a bulk password check (Desktop, Android, iOS). We want to ship this to 100% in M86.
Tip: Chrome Beta and Canary uses may enable the feature right now by loading chrome://flags/#well-known-change-password in the browser's address bar and setting the experimental flag, called Support for .well-known/change-password', to Enabled, and restarting the browser afterwards.
Google published an article about the new feature on its Web Dev website already in which it informs webmasters and companies about the new format.
Major web companies, including Google, Twitter, Facebook, GitHub and WordPress, use the format already on their sites to improve the resetting of passwords.
Apple's Safari browser supports the feature since 2019. Google plans to introduce support in Chrome 86, and Mozilla considers it worth prototyping but has not decided yet whether the feature will be implemented in the Firefox web browser. Firefox users may keep track of this bug on Bugzilla to find out if the feature does get implemented in the browser.
Now You: Would you use such a feature, if your favorite browser/password manager would implement it? (via Bleeping Computer)Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.