[fckthisguy]

We should introduce an industry best practice for account management. A "/.well-known" url for changing passwords would make this trivial to do in bulk with a password manager.

[monsieurbanana]

Nothing could go wrong with having a way of hitting millions of websites at once with a 0 day exploit :)

[dns_snek]

The functionality provided by such an API could be limited to disabling the account until the password is manually reset given that the client provides a valid email and password. The blast radius for that would be pretty small.

I don't use 90% of the entries in my password manager on a monthly basis so anything that allows me to delay the password change on hundreds of accounts until I need to use the account again would be valuable.

[devnullbrain]

Obscurity is security, as the saying goes.

[handerz]

Isn’t the saying, “security through obscurity is no security at all”?

[coder543]

I believe the person you replied to was being sarcastic.

[lathiat]

https://www.w3.org/TR/change-password-url/

[2Gkashmiri]

so if i get access to your PM, then i would be able to destroy all your accounts en masse.

at least this way they would have to prioritize

[alpaca128]

I don't think this matters that much. Most accounts are just for random websites that don't let you use basic functionality without a login. Being able to manage such accounts efficiently & without dark patterns in one program would be a massive time-saver, but whether a bad actor takes a few seconds or a few minutes to take over my important accounts I'm screwed either way.