We can use a well-known URL in our websites to make our change password forms discoverable by tools, like 1Password, LastPass, Bitwarden, etc.

For https://example.com, this magic URL would be https://example.com/.well-known/change-password.

Let's see how this works. 💪

A well-known URL

What is a well-known URI? It's basically a group of predefined "links" inside a /.well-known/ directory of a website.

These links can be either a HTTP redirect, like the change-password URI, or a document with a specific format, like the "well known" OpenID Connect configuration in JSON format located at /.well-known/openid-configuration. We can find an example here https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.

Just a redirect

The specification for Well-Known Change Password URL is still in draft, but we can find examples in popular websites like GitHub, Slack, or Wikipedia.

💡 If you can't find the reset password link in a website, you can use this Well-Known URL.

Conclusion

We can programmatically advertise where a user can change their password, improving the security and usability of a website that requires authentication.

Now you can create a semantic HTML form for changing passwords and the password manager tool will do the rest.