Include links to password change forms on the site when passwords were breached

[mnoorenberghe]

To make the breach notifications for logins much more actionable it would be great to include a direct link to the sites password change form. The link to this URL can be shown on the website and in about:logins to provide an easier path to changing the password on the site.

[groovecoder]

To do this, we will want to include the change-password urls in the Remote Settings collection.

To find the change-password urls we could:

1. Look for the (probably tiny number of) breached sites that support the .well-known/change-password url.
2. Maintain our own list of the breached sites' change password urls.

[pdehaan]

I can write a quick and dirty scraper to loop through all the breaches and see if they have a ${breach.Domain}/.well-known/change-password endpoint that doesn't 404, but considering it doesn't even look like mozilla.org, adobe.com, linkedin.com, microsoft.com, or myspace.com have the endpoints defined, i don't have high hopes.

Interestingly, it looks like both facebook.com and twitter.com do an HTTP 301/302 redirect to their respective login pages, which is cool.

My guess is that we'd have to maintain our own list of password change URLs (which feels a bit sketchy).

https://fx-breach-alerts.herokuapp.com/hibp/breaches says we have 370 known breaches (but only 352 have a Domain). Who wants to put bets on how many will have a /.well-known/change-password endpoint?

[groovecoder]

Can I bid 1 to be closest without going over? (Except it's probably actually 0)

[changecourse]

An improvement on the work to be done in #1119

[pdehaan]

Can I bid 1 to be closest without going over? (Except it's probably actually 0)

My guess was that I could definitely count the results on one hand, but looks like you were correct, 1 result:

http://armyforceonline.com/.well-known/change-password

After pasting the results, I'm realizing my code isn't very good, and probably should have treated a non-redirect as an error instead of saying "same" 32 times (which would have brought the number of potential "successes" down to 22, with ~96% being false positives). 🤷‍♀

check-well-known-change-password.js

```js const axios = require("axios"); const slug = "/.well-known/change-password"; async function main() { const res = await axios.get("https://fx-breach-alerts.herokuapp.com/hibp/breaches"); const breaches = res.data.filter(breach => breach.Domain); console.log(breaches.length); const successes = []; const errors = []; for (const breach of breaches) { try { const success = await checkWellKnownChangePassword(breach); successes.push(success); console.log(`${success.status} | ${success.changePasswordUrl} | ${success.changePasswordUrl === success.currentUrl || success.currentUrl.endsWith(slug) ? "(same)" : success.currentUrl}`); } catch (err) { errors.push(err); } } console.log("successes:", successes.length); console.log("errors:", errors.length); } async function checkWellKnownChangePassword(breach) { if (!breach.Domain) { const err = new Error(`No domain for ${breach.Name}`); err.breach = breach; throw err; } const changePasswordUrl = new URL(slug, `http://${breach.Domain}`).href; try { const res = await axios.get(changePasswordUrl, {timeout: 2500}); res.breach = breach; res.changePasswordUrl = changePasswordUrl; res.currentUrl = res.request._redirectable._currentUrl; return res; } catch (err) { err.breach = breach; err.changePasswordUrl = changePasswordUrl; throw err; } } main(); ```

STATUS	SOURCE URL	FINAL URL	NOTES
200	http://8tracks.com/.well-known/change-password	https://8tracks.com/404	Redirects to 404 page (with a 200 status code?!)
200	http://ahashare.com/.well-known/change-password	(same)
200	http://appartoo.com/.well-known/change-password	(same)
200	http://armyforceonline.com/.well-known/change-password	http://armyforceonline.com/login/auth	SUCCESS
200	http://bell.ca/.well-known/change-password	(same)
200	http://bell.ca/.well-known/change-password	(same)
200	http://cannabis.com/.well-known/change-password	https://weedmaps.com/	Redirects to new domain.
200	http://cashcrate.com/.well-known/change-password	https://www.cashcrate.com/	Redirects to homepage (and upgrades to HTTPS)
200	http://cheapassgamer.com/.well-known/change-password	(same)
200	http://clixsense.com/.well-known/change-password	(same)
200	http://demonforums.net/.well-known/change-password	(same)
200	http://dlh.net/.well-known/change-password	https://www.dlh.net/de/index.html	Redirects to homepage.
200	http://duowan.com/.well-known/change-password	http://www.duowan.com/s/404/404.html?from=configcommon	Redirects to 404 page (with a 200 status code)
200	http://edmodo.com/.well-known/change-password	(same)
200	http://eroticy.com/.well-known/change-password	(same)
200	http://freshmenu.com/.well-known/change-password	(same)
200	http://gaadi.com/.well-known/change-password	(same)
200	http://gpotato.com/.well-known/change-password	http://www.webzen.com/	Redirects to new domain.
200	http://hounddawgs.org/.well-known/change-password	http://hounddawgs.org/cgi-sys/suspendedpage.cgi	404 page.
200	http://houzz.com/.well-known/change-password	(same)
200	http://intelimost.com/.well-known/change-password	(same)
200	http://ipmart-forum.com/.well-known/change-password	(same)
200	http://jobstreet.com/.well-known/change-password	(same)
200	http://justdate.com/.well-known/change-password	(same)
200	http://lanwar.com/.well-known/change-password	(same)
200	http://majorgeeks.com/.well-known/change-password	https://www.majorgeeks.com/	Redirects to homepage.
200	http://mangatraders.com/.well-known/change-password	http://ww1.mangatraders.com/	Redirects to homepage.
200	http://mangafox.me/.well-known/change-password	(same)
200	http://mcbans.com/.well-known/change-password	(same)
200	http://myheritage.com/.well-known/change-password	https://www.myheritage.com/FP/page-not-found.php	Redirects to 404 page.
200	http://nihonomaru.net/.well-known/change-password	(same)
200	http://nonnudegirls.org/.well-known/change-password	(same)
200	http://opencsgo.com/.well-known/change-password	(same)
200	http://ps3hax.net/.well-known/change-password	(same)
200	http://qnb.com/.well-known/change-password	(same)
200	http://quantumbooter.net/.well-known/change-password	(same)
200	http://r2games.com/.well-known/change-password	(same)
200	http://r2games.com/.well-known/change-password	(same)
200	http://teracod.org/.well-known/change-password	http://ww7.teracod.org/	Redirects to homepage.
200	http://tgbus.com/.well-known/change-password	http://www.tgbus.com/404/	Redirects to 404 page.
200	http://thishabboforum.com/.well-known/change-password	(same)
200	http://tianya.cn/.well-known/change-password	http://www.tianya.cn/	Redirects to homepage.
200	http://uiggy.com/.well-known/change-password	https://www.uiggy.com/Home/Error	Redirects to 404 page.
200	http://intgovforum.org/.well-known/change-password	http://www.intgovforum.org/multilingual/	Redirects to homepage.
200	http://uuu9.com/.well-known/change-password	http://www.uuu9.com/	Redirects to homepage.
200	http://verified.cm/.well-known/change-password	http://ww12.verified.cm/	Redirects to homepage.
200	http://viewfines.co.za/.well-known/change-password	(same)
200	http://warmane.com/.well-known/change-password	https://www.warmane.com/notfound	Redirects to 404 page.
200	http://wiiuiso.com/.well-known/change-password	(same)
200	http://wildstar-online.com/.well-known/change-password	https://us.ncsoft.com:443/	Redirects to new domain.
200	http://wptapl.com/.well-known/change-password	https://www.worldpokertour.com/	Redirects to new domain.
200	http://youku.com/.well-known/change-password	(same)
200	http://zhenai.com/.well-known/change-password	https://www.zhenai.com/	Redirects to homepage.
200	http://sprashivai.ru/.well-known/change-password	http://sprashivai.ru/	Redirects to homepage.

successes: 54 errors: 298

[mnoorenberghe]

Apple has now made an open-source repo to provide overrides for sites that don't implement /.well-known/change-password: https://github.com/apple/password-manager-resources/blob/master/quirks/change-password-URLs.json

[EMMLynch]

Closing since we've redesigned the site and functionality since this was created. If you feel that this is still needed, please let me know.