Auto-Change Compromised Passwords

Google has announced a new feature in its Chrome browser that lets its built-in Password Manager automatically change a user's password when it detects the credentials to be compromised.

"When Chrome detects a compromised password during sign in, Google Password Manager prompts the user with an option to fix it automatically," Google's Ashima Arora, Chirag Desai, and Eiji Kitamura said. "On supported websites, Chrome can generate a strong replacement and update the password for the user automatically."

The feature builds upon Password Manager's existing capabilities to generate strong passwords during sign-up and flag credentials that have been detected in a data breach.

With the automated password change, Google said the idea is to reduce friction and help users keep their accounts secure without having to search for relevant account settings or abandon the process midway.

Website owners can support this feature by adopting the following methods -

  • Use autocomplete="current-password" and autocomplete="new-password" to trigger autofill and storage
  • Set up a redirect from <your-website-domain>/.well-known/change-password to the password change form on their website
Cybersecurity

"It would be much easier if password managers could navigate the user directly to the change-password URL," Kitamura said. "This is where a well-known URL for changing passwords becomes useful."

"By reserving a well-known URL path that redirects the user to the change password page, the website can easily redirect users to the right place to change their passwords."

The development comes as companies are increasingly shifting to passkeys as a stronger alternative to protect accounts from potential takeover attacks. Earlier this month, Microsoft said it's making passkeys the default method when signing up for new customer accounts.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.