A standard password change API

Wouldn’t it be nice if there were some sort of standard password-change API that websites all implemented? Then when there’s some sort of breach and you have to change a bunch of passwords1 you could just download a list of domains that need fixing and give it to your password manager, and then your password manager would use the standard password-change API on each of those sites to change your password to something else. Literally one click; instead of reading stern concerned messages from everyone on Twitter saying “you should change your passwords now!” one can just click one button and, bish bash bosh, job done. That’d be lovely. Maybe Chrome’s password manager would build it in and automatically fetch sites that need updating from a central list and then I’d be secured without even knowing about it!2

Obvious questions:

What about people without a password manager?

Yeah, they’re no better off under this plan. But they’re no worse off. And they were likely already using guessable passwords. This problem needs fixing, certainly (have people use password managers, make them easier to use, eliminate passwords entirely, many other suggestions) but fixing it is not the goal of this plan.

How does the password manager know where to look?

Put a file in /.well-known which describes the location of the endpoint and the parameters that need to be passed to it or something. That seems an easy problem to solve; your password manager knows the domain, so it just hits https://domain/.well-known/password-change.json and gets {location: '/std-pwchange', required_parameters: {username: "username", password: "password"}} or something. The detail here can be worked out.

Doesn’t this make compromising people’s accounts easier?

I don’t think so, but I might be wrong. At the moment, if I discover your master password I can’t do anything with it without access to your password manager’s database; if I’ve got both your master password and access to your passwords database then I can manually go and steal all your accounts everywhere and change all your passwords. Having this doesn’t make it more likely; it just makes it less drudge-work for an attacker to do.

What about sites that require two-factor auth?

Yeah, this won’t work for them. Then again, if the site requires two-factor auth, having your password potentially compromised in a breach is not as big a deal, right? So the endpoint can return needs-manual-update and then your password manager pops up a box saying “you have to manually update your password on the following sites: (list of links)”. Which is what it would do for sites that inexplicably have not adopted this idea anyway.

Why would anyone adopt this?

Same reason anyone adopts anything; it seems a good plan, or everyone else is. This would certainly make life easier for users of password managers3, and both sites and pw managers can advertise “we make your life easier when this happens” as a feature.

Have I missed a reason why this would be a bad idea? It’d need speccing out in detail, obviously, but the concept to me seems good…

Update: there’s been a suggestion of one possible spec for such an API at https://github.com/SirCmpwn/pass-rotate/issues/1 for someone who wants to check it out. There’s also https://mikewest.github.io/change-password/.

  1. this week it was Cloudflare, but there’ll be another next week no doubt
  2. and a bunch of people would turn this off or never turn it on, but that’s fine, and they’re probably using some different manager already anyway
  3. I’m told that LastPass actually already supports this auto-password-change idea for lots of sites. Presumably they’re doing a little bit of custom code for each site to know where the password change form is? This would just standardise that and allow a password manager to do it automatically without any work at all, which would be obviously lovely for all concerned

More in the discussion (powered by webmentions)

  • Stuart Langridge responded at twitter.com @LastPass I'd be interested in your thoughts on this; perhaps you've already specced this idea out?
  • Stuart Langridge responded at twitter.com @1Password I'd be interested in your thoughts on this; perhaps you've already thought of this?
  • Stuart Langridge responded at twitter.com @ChromiumDev I'd be interested in your thoughts on this; perhaps somewhere that Chrome could take a lead on?
  • Roger Light responded at twitter.com Please god yes.
  • Stuart Langridge responded at twitter.com it'd be lovely, right?
  • Roger Light responded at twitter.com I've got about 400 lines in my password file. So yes.
  • 1Password responded at twitter.com This isn't something I currently support, but my devs will consider it. I'll add your vote!
  • David Reynolds responded at twitter.com awesome idea!
  • David Reynolds responded at tag:twitter.... (twitter.com)
  • Stuart Langridge responded at twitter.com @KeePass I'd be interested in your thoughts on this; perhaps you're already working on it?
  • Stuart Langridge responded at twitter.com @KeePassX I'd be interested in your thoughts on this; maybe you've already had similar thoughts!
  • Birmingham.IO responded at twitter.com Stuart Langridge: A standard password change API by @sil buff.ly/2lQ4wnf #PlanetBirmingham
  • blogisch responded at twitter.com This idea written up in a little more detail at kryogenix.org/days/2017/02/2…. twitter.com/sil/status/835…
  • blogisch responded at tag:twitter.... (twitter.com)
  • Emelia responded at twitter.com A proposal for how to do the standardised password change API as suggested in kryogenix.org/days/2017/02/2… -- comments are invited! https://t.co/
  • blinch responded at tag:twitter.... (twitter.com)
  • Brian Douglass responded at twitter.com A proposal for how to do the standardised password change API as suggested in kryogenix.org/days/2017/02/2… -- comments are invited! https://t.co/