Talk:Community Tech/LoginNotify

I know this may be a little late to ask, but would it be possible to make sure the notification stays "new" for, say, a week? It's possible the IP did successfully login after a few failed attempts, checked the notification so it didn't appear to the real owner of the account, and then went on their merry way for one reason or another. I'm not the kind of person that checks notifications if I don't have an alert saying I have new notifications. If it was impossible for someone to login to my account and then was unable to check the notification as read, I would know immediately the next time I logged in to change my password. Without this, I probably wouldn't know about any failed login attempts until I was blocked as a compromised account. If I'm not mistaken, in general, compromised accounts aren't unblocked without very good reason on enwiki. (I do have a committed identity setup there, but what if I didn't?) — Gestrid (talk) 04:03, 7 April 2017 (UTC)[reply]

Thanks for your reply. Having a sticky notification can be annoying to users who check their notifications frequently and like to have an empty notification counter. Also this functionality does not currently exist with our notification system and would require quite some time and effort to build. If you feel strongly about this, please feel free to request this in the next wishlist survey. Thank you! -- NKohli (WMF) (talk) 20:25, 21 August 2017 (UTC)[reply]

@Gestrid: If you care about your privacy a lot, I guess an easier workaround for this would be to enable Email notifications for failed login attempts (alone?). The misfeasor wouldn't be able to delete the emails from the Inbox of your email. (Of course this only helps if you are happy to share your email address with Wikipedia ;-) -- Kaartic ^{correct me, if i'm wrong} 04:23, 2 December 2017 (UTC)[reply]

So we worked out how to monitor Ryan0brookes (talk) 17:16, 28 January 2019 (UTC)[reply]

To me it seems like the general best practice for managing passwords is that when a user get's an unsolicited email with a link that asks him to enter passwords, the user generally shouldn't follow the link. Training a user with the idea that serious websites send links like that increases the chances that the user will fall victim to a phishing attack. ChristianKl (talk) 10:08, 15 May 2017 (UTC)[reply]

I agree that we want to have a responsible design, but in this feature's case I don't see this as causing any problems. There are two password change tools: 1) When you forget your password and cannot log in it can be recovered via Special:PasswordReset which sends an email. 2) If you know your password and want to update your password you can do so without an email via Special:ChangeCredentials. These Echo notifications only appear when you're logged-in, therefore users will be taken to Special:ChangeCredentials which does not use an email.

This doesn't address Special:PasswordReset relying on email, but it is a solicited email. And definitely outside the scope of this specific project. Something to chew on, though... — Trevor Bolliger, WMF Product Manager 🗨 16:35, 15 May 2017 (UTC)[reply]

@TBolliger (WMF): Playing the devil's advocate a little ;-), I think the key lies in the fact that the user might not know that the link in the email about a "failed login attempt" goes to Special:ChangeCredentials. He might be tricked into entering his current password by a phishing site ? - - Kaartic ^{correct me, if i'm wrong} 04:37, 2 December 2017 (UTC)[reply]

I hope you fixed the typo in the alert message: "There have been have been". Yngvadottir (talk) 17:04, 19 August 2017 (UTC)[reply]

Thanks for pointing that out! Fixed now. Will be visible on the sites within a few days. -- NKohli (WMF) (talk) 20:20, 21 August 2017 (UTC)[reply]

It's still in the picture on this page. Stryn (talk) 16:34, 22 November 2017 (UTC)[reply]

(How) does this play together with SUL? I.e.: I have the notification for logins from an unknown device enabled on German Wikipedia, but nowhere else. Will I still get notified when somebody logs into my account in some other project? Or at least when he then visits German Wikipedia and is logged in there automatically? --Schnark (talk) 08:05, 21 August 2017 (UTC)[reply]

Yes, you'll get cross-wiki notifications if someone tries to login to your account on any project. -- NKohli (WMF) (talk) 20:22, 21 August 2017 (UTC)[reply]

As far as I understand, cross-wiki notifications only work for web notifications, so this won't work for the "Login from an unfamiliar device" notification, which is an email only notification. --Schnark (talk) 06:54, 22 August 2017 (UTC)[reply]

Hi! :) I'm wondering about this too… Do we have to enable email notifications for unsuccessful logins and logins from unknown devices on every single Wikimedia website? If it's enough for an attacker to pick any Wikimedia website which does not appear in Special:CentralAuth for the targeted user, it kind of defeats this otherwise awesome security feature… Thanks! — Arkanosis ^✉ 17:02, 25 August 2017 (UTC)[reply]

Due to popular demand, we ended up making them on by default across all wikis. So now they'd work for all wikis. Let me know if it doesn't work for you. Thanks. -- NKohli (WMF) (talk) 22:53, 10 October 2017 (UTC)[reply]

I activated all loginnotify options in preferences, then used a private window of my web browser to login again with a false password. Now, minutes later, I still got not notified? --𝔊 (Gradzeichen Diſk✉Talk) 07:48, 22 August 2017 (UTC)[reply]

That's because your IP address is a known IP. You'd have to change your IP address in addition to using a private browser window. -- NKohli (WMF) (talk) 22:16, 23 August 2017 (UTC)[reply]

Three days ago I had 3 unsuccessful attempts to login with my username. I had simular problems in may and april, and it could be the same user. Is it possible to get the IP address of unsuccessful attempts? --Superikonoskop (talk) 15:45, 28 August 2017 (UTC)[reply]

Given that the password reset emails you get specify the IP address, I think it would make sense for this one to as well. — Scott • talk 11:52, 8 September 2017 (UTC)[reply]

There'a s ticket about it and we'll try to prioritise it over the next few weeks. Thanks. -- NKohli (WMF) (talk) 22:51, 10 October 2017 (UTC)[reply]

@NKohli (WMF): Thank you. Can you link the ticket please, so I can follow it on Phabricator? — Scott • talk 17:27, 12 January 2018 (UTC)[reply]

@Scott:, yes it is task T174562. Thanks. -- NKohli (WMF) (talk) 19:08, 19 January 2018 (UTC)[reply]

Please print IP + Time of failed Login – we Wikiusers are surely able to use WhoIs-Tools… --2.247.254.163 22:24, 10 December 2017 (UTC)[reply]

For the IP, there's a ticket in progress. You can watch and comment on it. It's linked above. As for the timestamp, that's something that has to be changed in the way Echo notification display is handled. That's not something we can change at our end. In any case, it does give you a good estimate for when the login happened ("x minutes ago", "y hours ago" etc.). Thanks. -- NKohli (WMF) (talk) 19:08, 19 January 2018 (UTC)[reply]

Contrary to the description given here of the feature, I only have notifications that say "multiple failed attempts" (and a lot of them, possibly due to my simple user name and/or admin status - 12 of them in one day recently). That seems less useful than indicating whether it was 5, 10, or so on. — Scott • talk 22:12, 6 September 2017 (UTC)[reply]

I don't personally see how "10" is more useful than "multiple". The idea was to not panic the user(s) but nonetheless there does seem to be panic. In one case someone got 400+ attempts on a single day. Showing them that number doesn't seem like a great idea. It's not helpful in any case to them. Note that the number count on the Echo Notification icon correctly indicates the number of attempts (if that is the only notification you have). -- NKohli (WMF) (talk) 22:51, 10 October 2017 (UTC)[reply]

I think seeing that someone attempted to log in to your account 400 times is a valid source of concern. Letting users set their own level of concern seems like good practice to me. If anything, "multiple" is more concerning by default because you don't know if it was 5 or 400. — Scott • talk 17:30, 12 January 2018 (UTC)[reply]

A lot of these failed login attempts seem to happen through bots, apparently. That's why the 400 number doesn't mean anything. Nobody could have manually gone through that pain. And these bots don't target just one account. They go through a lot of them. Mostly targetting common usernames. We do not want to create panic but as I said the number count in the Echo notification icon does include the number of failed attempts. -- NKohli (WMF) (talk) 19:12, 19 January 2018 (UTC)[reply]

I have been receiving this notification for several weeks now. My account is being logged in by some anonymous person. there have been over 50 failed attempt to login since 2 days and a total of 100 failed attempts since 16 days. Please help me and guide me what to do. I have a strong password. Will I need to change this in daily basis? --Kskhh (talk) 09:20, 28 September 2017 (UTC)[reply]

@Kskhh: These notifications are designed to raise your awareness if someone is trying to gain access to your account. There's nothing that can be done to stop the person from continual attemps. If you're satisfied with the strength of your password and these notifications are annoying, you can disable them at Special:Preferences#mw-prefsection-echo for the problematic wiki. If you're concerned about your account security, you can enable two factor authentication by visiting Special:Two-factor_authentication. — Trevor Bolliger, WMF Product Manager 🗨 15:48, 28 September 2017 (UTC)[reply]

Other users and I have been getting loads of false positives: warnings that a different device was used for a log-in when in fact we were using our same computers all along. Maybe the IPs have changed, but certainly not the devices. So, first, the email notification text should be adapted to properly describe whatever it's supposed to be warning about.

Second, the link to switching off further such notifications should be more visible. I totally overlooked it several times and finally posted on Wikipedia for help to switch them off... just to find out that other users had done so before me. Which means I'm not the only blind Wikipedian around. Please place the link into the main text, and consider phrasing it to fit particularly to the notifications in question (not just to "any" notifications). Thanks.

Third, the amount of false positives actually makes the feature useless, if not a safety-risk: Yes, I've now switched off these notifications entirely because I'm sick of getting my mailbox cluttered with false positives. So when something really happens, I won't even know about it... (And other users were looking for the same "solution".) --Ibn Battuta (talk) 20:48, 11 October 2017 (UTC)[reply]

Hi Ibn Battuta, sorry it took me so long to respond. Can you tell me more about the notifications you've been getting? It'll help us troubleshoot the problem. I've got some questions, feel free to answer with whatever information you feel like sharing:

How many false warnings did you receive (or how often)? Was there any pattern that you could see -- for example, it always happened when you logged in from work/school, but not somewhere else? Were you using a laptop, desktop, or mobile device? Did you clear your cookies? Were you using incognito mode? Any information like that would really help.

Also, can you give me a link to the page where you asked about it, and saw other people were having the same problems? I'd like to ask other people about what they're seeing.

You make a really good point about having a more prominent "turn off notifications" link -- I'll look into adding a link into the text. Thanks for your feedback; I really appreciate it. -- DannyH (WMF) (talk) 23:26, 18 October 2017 (UTC)[reply]

I've filed a ticket to investigate the false positives reported here, and in a couple of German WP discussions. You can see that here: phab:T178619. -- DannyH (WMF) (talk) 20:45, 19 October 2017 (UTC)[reply]

I gave a login notice mail not long ago, but I can read anything useful from this message because of the word that someone had logined with your account. Like same function of some other website, the login notice mail maybe has some information that tells the user when and where the account was be logined ,such as login's time, the IP address and the characteristic sign of the login device. The useful information can be help to the user know or remember the login of the account, no just the dull notice. --Cwek (talk) 05:45, 19 October 2017 (UTC)[reply]

That feature is under development. See phab:T174562. Sorry for the very delayed reply. -- NKohli (WMF) (talk) 12:19, 15 December 2017 (UTC)[reply]

I guess I'm not the only one who expects the notifications to get marked as "Read" after I clicked on them. This expectation holds for all other notifications except the notifications about "failed login attempts". Despite the ?markasread=<notificationId> fragment I see when hovering over those notifications, they don't seem to be getting marked as "Read" until I got to Special:Notifications and "Mark group as read". This seems to be something that should be fixed (or) am I missing something? - - Kaartic ^{correct me, if i'm wrong} 04:58, 2 December 2017 (UTC)[reply]

This sounds similar to phab:T179765. It would seem that this is a problem with Notifications and not LoginNotify. We're keeping an eye on the ticket and will let you know if we learn of anything. Meanwhile, please try disabling your adblocker(s) while marking the notification as "Read" and see if it helps? -- NKohli (WMF) (talk) 12:22, 15 December 2017 (UTC)[reply]

task T179765 seems to be similar to be. I did try restarting Firefox with Add-ons disabled and the result was same. I also tried clicking on the notification in Chromium browser to see if they get marked as read. It had no effect too. - - Kaartic ^{correct me, if i'm wrong} 05:54, 6 January 2018 (UTC)[reply]

30 + notifications in 2 days, 10 emails in 3 minutes? I'm a 13+ years seasoned wikikpedian, an admin at en. since probably the creators of this crap were still at junior school. Did not one idiot think that some of us might have secure enough passwords we would prefer to opt in, not have it foisted on us? Honestly, absolute bloody joke. Pedro :  Chat  22:25, 6 December 2017 (UTC)[reply]

@Pedro: So disable "Failed login attempts" under "Notifications" in your Preferences instead of insulting people? --Malyacko (talk) 22:37, 10 December 2017 (UTC)[reply]

@Pedro: Let's set the facts straight, shall we? You got 28 notifications over a span of 6 days. The feature was requested by the community and the community basically forced us to make the feature default everywhere. You got notifications from 2 wikis, not 50. It's not a huge problem to change your preferences, I imagine. Your comments are disruptive and insulting. I am shocked to learn that you are an enwiki admin. -- NKohli (WMF) (talk) 12:30, 15 December 2017 (UTC)[reply]

@Pedro: Tone it down. Abusing software developers is not acceptable in any context. As another enwiki admin (who got the bit 2 days after you; and a 15-year Wikipedian), I share NKohli's shock at your behavior. — Scott • talk 17:36, 12 January 2018 (UTC)[reply]

« The extension keeps track of known browsers by placing a HTTP cookie in the browser »

« This cookie automatically expires in 180 days »

Can this Long-Time-Cookie be misused by any third-party-people for tracking? --89.204.135.54 22:40, 10 December 2017 (UTC)[reply]

Not really. There are other cookies placed in your browser by Wikipedia. For example, to keep you logged in. And plenty of other websites do the same all the time. I am not aware of any way this may be misused. You need not worry. -- NKohli (WMF) (talk) 12:32, 15 December 2017 (UTC)[reply]

This tool is completely useless (at least is useless to experienced users) unless there's notification of the IP address from which the login attempt has been performed. Just this morning (Dec 26) I received in my email box 7 (seven) e-mails in a row from 2:45 UTC+1 until 3:03 UTC+1 that read that on en.wiki an anonymous user had tried to log in (my home wiki is it.wiki, as a matter of fact). Rather than recommend to an established (13+) user (who happens also to be administrator on Wikimedia Commons) to adopt a strong password, could this tool provide them with the IP of the lamer who tries to get in with someone else's credentials? -- Blackcat (talk) 11:40, 26 December 2017 (UTC)[reply]
PS three more failed attempts on zh.wiki from 15:57 UTC+1 to 15:58 UTC+1.

In Special:Preferences#mw-prefsection-echo I can disable email notifications for logins from unfamiliar device, however the checkbox for the web notification is in read-only disabled state. How can I disable the web notifications as well? --Yury Bulka (talk) 12:59, 5 September 2018 (UTC)[reply]

Hi Yury Bulka. This is a known problem and we are tracking it in task T174220. We're working on fixing it as soon as we can. Thanks. -- NKohli (WMF) (talk) 23:47, 5 September 2018 (UTC)[reply]

Using a Mac ProBook I recently uploaded the new MacOS Mojave, and since then I have always been getting these mails by Wikipedia saying that maybe there was somebody else who hacked my account.

Today I went to an AppleStore to get some advice, and they told me that my Mac gets a new IP every few days or even every 24 hrs, according to the new (?) rules of privacy (by Apple).

For being a Wikipedia user it seems fine that they inform me about such things, but now there is no control anymore, whether there was somebody else who tried to hack my account – or it was myself. What could be done?--Imruz (talk) 17:14, 23 November 2018 (UTC)[reply]

Imruz Which browser are you using? Do you delete the cookies after using it or do you use Incognito mode? The tool places a cookie in your browser which helps it remember that your browser is trusted and it does not send out an email if the cookie is present. -- NKohli (WMF) (talk) 19:29, 26 November 2018 (UTC)[reply]

Hi NKohli (WMF), thanx a lot for your answer. One aspect mentioned by you seems to be interesting, for I didn't know it: After finishing interneting (mostly Wikipedia) I empty my browser cache. My browser itself is Safari 12.0.1 .

After all, I think I have to deal with it. But maybe you find another reason. Thank you very much for your advice in advance. Regards--Imruz (talk) 10:57, 27 November 2018 (UTC)[reply]

@Imruz: Okay. So it seems to me that the notifications and emails will stop if you don't clear your browser cache. May I ask why you clear it? If your laptop is shared among multiple people then it makes sense to do this but otherwise I will not recommend you clear your cache. If you still want to do it, you can also turn off the preference for getting mails in your Preferences. -- NKohli (WMF) (talk) 18:30, 27 November 2018 (UTC)[reply]