Random Idea - Password Change API/Spec
For years I've had this crazy idea that there should be some web spec for an API that supports changing user passwords.
So the idea is this. A lightweight API that would provide a basic authentication mechanism, details about password requirements and last time the password had been changed for the authenticated user, and finally a mechanism to change the password.
The goal of this spec/API would be for tools like 1Password, KeePassX, LastPass, etc to offer one click password changes to their end users. Just imagine all those passwords that are years old could be reset with one click. Perhaps even automatic password rotation every 30 days. And maybe even services like watchtower that had specific knowledge of systems that were compromised could make the process easier/automated.
This need arises from the fact that changing passwords are a horrific and widely divergent experience. I'm a software engineer at a small startup, and I remember the fallout from heartbleed was changing 200+ passwords for everything from SendGrid to our company Twitter account. It took me and another co-worker hours. HOURS. Imagine being able to rotate all passwords with one click.
In conclusion, this was just kind of a brain dump. I know first hand how hard this kind of thing would be. Adoption is critical, without adoption it's pointless. This spec/API isn't something that most of us could do ourselves. Someone like 1Password or LastPass would ultimately have to spearhead this project for service providers (Google, Facebook, Twitter, etc) to take notice and implement the sec.
So yea. That's my random idea. Thanks for reading.
-- Wesley
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi Wesley ( @workmanw ),
Thanks for such a well-written post! You're certainly not the first person to suggest such a solution, and I have to say, I'm high on the list of people who would love to see something like this (provided we could shout loudly enough to get that adoption happening.) I've shared your thoughts with someone from our web development team in the hopes that he'll be able to provide you with a bit more of a detailed reply soon.
0 -
Hi, Wesley! Thanks for sharing this idea. Like @Megan said, this isn't the first time such a proposal has been floated. If such a spec were available, we would love to support it. But, given how sensitive user accounts and data are, there are a ton of technical considerations to prevent abuse of such a system.
In addition to throttling the requests and avoiding distributed attacks from something like a botnet, there's a simple question of how you respond to those API requests. You would obviously need to supply the current password in order to authenticate for changing the password. If the password is incorrect, do you reply with a status code that says the password is incorrect? Could be that the system replies with something less helpful, but then that makes diagnosing problems much more challenging. And these are only the concerns of a single service implementing such a theoretical API. This doesn't get at the potential for abuse that results from a common implementation of such an API across multiples services.
Wow… I sound like a total wet blanket… I didn't mean to be a downer! We definitely have some ideas for how to improve the change password experience, but I can't really share anything concrete right now. At best they can be considered skunkworks or proof-of-concept efforts. But, rest assured, this is something we think about a lot. The best thing we can do for every user of 1Password is make the secure thing be the easiest thing to do, and this would certainly fall under that umbrella.
0
