Gregory's Server@valorin : thanks, I wasn't aware of the existence of an RFC for a default change-password file!
For those interested: https://internet.nl checks any webserver for, among a lot of other things, the existence of the security.txt file (it shows its results in English, you don't have to know what Goudse kaas, stroopwafels and hagelslag mean ;-)
Best practices: https://internet.nl checks for lawful requirements of Dutch (Netherlands) governmental websites. After more than a year since that law came into effect, still a lot of govt. websites do not fully comply. In particular, many have still not set up HSTS correctly, such as Almere (https://internet.nl/site/almere.nl/2957791/ - not detected by https://developer.mozilla.org/en-US/observatory/analyze?host=almere.nl).
Unfortunately HSTS (which too often does not work) still has to help internet users, as browsers still do not *enforce* https connections in a sensible way (https://infosec.exchange/@ErikvanStraten/113045241408077702).
(Coen Wesselman @wsslmn : do you like the idea of adding a check for "/.well-known/change-password", and if so, is that something you could ask to be included in the tests by internet.nl?)
#changepassword #change_password #security_txt #websites #website #webserver #SIDN #internet_nl #HSTS #MDN
@ErikvanStraten personally I will share this with the @internet_nl project team, and let you know.
Personally this would improve password management for me. Too often the tools struggle with password changes and storing the right information to access an account.
@bartknubben @valorin