Google Chrome is adding a new feature that will make it easier for users to reset stored passwords that have been detected as compromised in data breaches.
Since 2018, Apple has supported the /.well-known/change-password feature as a way for web sites to specify the page that is used to reset or change passwords on the site.
This feature has been used by Safari and iCloud Keychain to easily allow users to change their passwords when it is discovered that stored credentials were compromised.
To use this feature, web site developers create a
/.well-known/change-password file or URL on their site that, when visited, will redirect a user to their password reset page.
Web sites can redirect users using a .htaccess file, mod_rewrite, or even by making an HTML file that redirects the user to the proper page.
Chrome 86 to making it easier to change passwords
In Chrome 86, Google plans on rolling out support for this feature in the browser’s ‘Check passwords’ feature that checks if any stored credentials have been compromised.
“Websites can set a well-known change-password URL using the format, ‘/.well-known/change-password’, to allow users to quickly navigate to a page allowing them to change their password. Chrome will leverage this URL to help users easily change their weak / compromised passwords following a bulk password check (Desktop, Android, iOS). We want to ship this to 100% in M86,” Google product manager explained in a post to the Blink-Dev mailing list.
When Chrome determines that a password has been compromised in a data breach, it displays a ‘Change password’ button, as shown below.
When the ‘/.well-known/change-password ‘ is supported, clicking on the change password button will automatically connect to the site’s ‘/.well-known/change-password’ URL, which will automatically redirect users to the password reset page.
If a ‘/.well-known/change-password’ URL does not exist for a site, it will redirect the user instead to the site’s homepage.
By making it easier for users to change compromised passwords, the hope is that more people will make an effort to change them.
By using unique passwords at sites you visit, your security increased tremendously, and a data breach at one site will not affect you at others.
This feature will not work without the support of web sites, so it is advised that all websites create a ‘/.well-known/change-password’ URL like we have done.
Testing this feature now
For those who wish to test this feature, you can install the Chrome 86 Beta and perform the following steps:
- Paste chrome://flags/#well-known-change-password into the address bar and press enter.
- When the ‘Support for .well-known/change-password‘ flag is shown, set it to Enabled and relaunch the browser when prompted.
Once the browser has restarted, you can test this feature if you have any compromised passwords listed under chrome://settings/passwords.