This could be a real win. If there was a way of marking a standardized form with some meta data or tags to say "hey, this is safe to use automatically in the expected way" such as the typical form with old > new > repeat new or something. One little HTML change and it advertises compatibility.
That way, classy sites could enable a 'safe enough/good enough' flag that any software could use.
There is also the thought that it may be worth hard-coding for the biggest sites. The high profile sites are the most vulnerable when a vulnerability hits, there are big existing databases of user names around, and these can be exploited automatically and quickly on relatively high value targets (gmail accounts, amazon, facebook, twitter etc). Even top 10 would be helpful, but top 100 seems approachable, especially since the bigger sites are probably more consistent. The payoff here could be big next time around.
Also if the framework were around for doing this, you could target a particular site or three that just had a major breech, and push the rules for reset out with the breech notification.
I know it's a huge amount of work to do manually, but even a relatively focused effort could have payoffs, and if working with big sites can start a 'automated password reset' standard rolling, others might adopt it.
Just thinking out loud, I know you've got to juggle priorities and features with limited time.
That way, classy sites could enable a 'safe enough/good enough' flag that any software could use.
There is also the thought that it may be worth hard-coding for the biggest sites. The high profile sites are the most vulnerable when a vulnerability hits, there are big existing databases of user names around, and these can be exploited automatically and quickly on relatively high value targets (gmail accounts, amazon, facebook, twitter etc). Even top 10 would be helpful, but top 100 seems approachable, especially since the bigger sites are probably more consistent. The payoff here could be big next time around.
Also if the framework were around for doing this, you could target a particular site or three that just had a major breech, and push the rules for reset out with the breech notification.
I know it's a huge amount of work to do manually, but even a relatively focused effort could have payoffs, and if working with big sites can start a 'automated password reset' standard rolling, others might adopt it.
Just thinking out loud, I know you've got to juggle priorities and features with limited time.
Thanks again!