securitytxt.org VS password-manager-resources

Lemme guess, Well-known Security?

As in `http://mydomain.example/.well-known/security.txt ?

https://securitytxt.org/

If you see at the end of attack carefully, you'll see /.well-known/security.txt which already explained by securitytxt.org. That means, there's an either non-profit or for-profit organization that proactively find your site's vulnerability and trying to help you. For the for-profit organizations, usually they just give you information what vulnerability but you have to pay in order to get the solution.

I would laugh if I saw this in a security.txt file.. make it happen.

as defined on https://securitytxt.org/ “When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”

There are quite a lot of websites that implement the security. txt already. See https://securitytxt.org for more information about that

There are additional optional fields available for encryption, acknowledgements, canonical references, and more. You can find out more about this at the official security.txt website.

here it is: https://securitytxt.org/

FWIW, Apple asks users to tell them the password requirements to websites they notice the "Strong Password" feature doesn't work correctly.

The password complexity rule set is open source, you can contribute requirements for specific sites: https://github.com/apple/password-manager-resources

If it‘s worth the effort to you, you can try amend the password rules here: https://github.com/apple/password-manager-resources/blob/mai...

And JavaScript

You might be thinking about:

https://github.com/apple/password-manager-resources

or the related:

https://github.com/w3c/webappsec-change-password-url

But mainly if you are responsible for a system and you're willing to do work to improve security your first focus should be "implement WebAuthn so my users can stop worrying about passwords entirely" not "I wonder if more complicated password handling would help somehow?"

There is the Apple Password Manager Resources GitHub project, which seemingly is used for certain iCloud Keychain intelligence, such as shared Password Backends. You could open Pull Requests there to make your suggestions.

Back in August 2020, 1Password X v1.21.0 added support for Apple’s Password Manager Resources repository, which includes a curated crowd-sourced list of 160 sites’ password requirements, with more added frequently. For any site on that list, the password generator in 1Password X automatically generates a strong password that fits the website’s criteria. I hope that makes it to 1Password apps soon – it’s really useful and an awesome improvement. The list of supported sites will grow over time! Since the requirements are set by the site, user-facing digits/symbols sliders wouldn’t work.

Back in August 2020, 1Password X v1.21.0 added support for Apple’s Password Manager Resources repository, which includes a curated crowd-sourced list of 160 sites’ password requirements, with more added frequently. For any site on that list, the password generator in 1Password X automatically generates a strong password that fits the website’s criteria. I hope that makes it to 1Password apps soon – it’s really useful and an awesome improvement. The list of supported sites will grow over time! Since the requirements are set by the site, user-facing digits/symbols sliders wouldn’t work.