This post originated from an RSS feed registered with Web Buzz by Stuart Langridge. Original Post: A standard password change API Feed Title: as days pass by Feed URL: http://feeds.feedburner.com/kryogenix Feed Description: scratched tallies on the prison wall Latest Web Buzz Posts Latest Web Buzz Posts by Stuart Langridge Latest Posts From as days pass by

Wouldn’t it be nice if there were some sort of standard password-change API that websites all implemented? Then when there’s some sort of breach and you have to change a bunch of passwords¹ you could just download a list of domains that need fixing and give it to your password manager, and then your password manager would use the standard password-change API on each of those sites to change your password to something else. Literally one click; instead of reading stern concerned messages from everyone on Twitter saying “you should change your passwords now!” one can just click one button and, bish bash bosh, job done. That’d be lovely. Maybe Chrome’s password manager would build it in and automatically fetch sites that need updating from a central list and then I’d be secured without even knowing about it!²

Obvious questions:

What about people without a password manager?

Yeah, they’re no better off under this plan. But they’re no worse off. And they were likely already using guessable passwords. This problem needs fixing, certainly (have people use password managers, make them easier to use, eliminate passwords entirely, many other suggestions) but fixing it is not the goal of this plan.

How does the password manager know where to look?

Put a file in /.well-known which describes the location of the endpoint and the parameters that need to be passed to it or something. That seems an easy problem to solve; your password manager knows the domain, so it just hits https://domain/.well-known/password-change.json and gets {location: '/std-pwchange', required_parameters: {username: "username", password: "password"}} or something. The detail here can be worked out.

Doesn’t this make compromising people’s accounts easier?

I don’t think so, but I might be wrong. At the moment, if I discover your master password I can’t do anything with it without access to your password manager’s database; if I’ve got both your master password and access to your passwords database then I can manually go and steal all your accounts everywhere and change all your passwords. Having this doesn’t make it more likely; it just makes it less drudge-work for an attacker to do.

What about sites that require two-factor auth?

Yeah, this won’t work for them. Then again, if the site requires two-factor auth, having your password potentially compromised in a breach is not as big a deal, right? So the endpoint can return needs-manual-update and then your password manager pops up a box saying “you have to manually update your password on the following sites: (list of links)”. Which is what it would do for sites that inexplicably have not adopted this idea anyway.

Why would anyone adopt this?

Same reason anyone adopts anything; it seems a good plan, or everyone else is. This would certainly make life easier for users of password managers³, and both sites and pw managers can advertise “we make your life easier when this happens” as a feature.

Have I missed a reason why this would be a bad idea? It’d need speccing out in detail, obviously, but the concept to me seems good…

1. this week it was Cloudflare, but there’ll be another next week no doubt ↩
2. and a bunch of people would turn this off or never turn it on, but that’s fine, and they’re probably using some different manager already anyway ↩
3. I’m told that LastPass actually already supports this auto-password-change idea for lots of sites. Presumably they’re doing a little bit of custom code for each site to know where the password change form is? This would just standardise that and allow a password manager to do it automatically without any work at all, which would be obviously lovely for all concerned ↩