2017 Community Wishlist Survey/Miscellaneous/Allow additional password recovery methods

From Meta, a Wikimedia project coordination wiki
Jump to: navigation, search

โฌ… Back to Miscellaneous The survey has concluded. Here are the results!


  • Problem: Right now the only way to recover your password is via email, while it is not even necessary to save an email address with your user settings at all.
  • Who would benefit:
    • Occasional authors who forgot their password and did not supply an email address or whose email address has changed meanwhile.
    • The Volunteer Response Team that quite frequent gets inquiries for lost passwords and can often only respond with "you will have to create a new account".
  • Proposed solution:
    • Create a password hash that can be saved separate from the email address.
    • Create other recovery methods, e.g. by "secret questions".
  • More comments:
  • Phabricator tickets:

Discussion

IMHO "secret questions" make everything more insecure, as finding the answer to "What's the birth name of your mother?" etc. is simple social engineering to break into someone else's account. "Password hashs": w:en:Template:Committed identity might be pretty close to that? Have you considered w:Multi-factor authentication? --AKlapper (WMF) (talk) 20:47, 8 November 2017 (UTC)

Two-factor authentification... Would a "normal user" (one of those who forget to update their email address in the settings) do that? --Reinhard Kraasch (talk) 21:48, 8 November 2017 (UTC)
Since the possible "secret questions" are often the same across many different sites, https://xkcd.com/792/ seems relevant too. Anomie (talk) 15:23, 9 November 2017 (UTC)
Two-factor makes account recovery harder, not easier. --Tgr (WMF) (talk) 04:52, 19 November 2017 (UTC)
I only read about it in its early days. It was confusing enough to make *everything* harder... I hope it improved. Gotta read about it again someday. - Nabla (talk) 23:32, 1 December 2017 (UTC)
  • Most of this is easily solvable by just more strongly encouraging people to register and verify their email address. Have you seen those websites where once a year they ask "is this still your email address?". Similar reminders and encouragements can be given. In my opinion not registering an email address should be an active opt-out, not a lazy default situation. โ€”TheDJ (talk โ€ข contribs) 20:48, 9 November 2017 (UTC)
    • That's a good point, sending a reminder to said folks should be pretty easy. And yeah, we should encourage it more heavily on the registration page. Not an a hard failure, but at least a "HEY ARE YOU REALLY F'ING SURE? HAVING AN EMAIL IS A GOOD IDEA YO" would encourage people to not skip out. ๐Ÿ˜‚ (talk) 00:27, 10 November 2017 (UTC)
    • Maybe specifically when an online email service provide is known to terminating or terminated their service, a reminder can be given to those people? C933103 (talk) 20:04, 11 November 2017 (UTC)
  • Maybe send a person who doesn't register their email every 3 months a central notice asking them to fill out their email address? ChristianKl (talk) 17:29, 11 November 2017 (UTC)
    • But the proposal was about email address that have been registered but changed.C933103 (talk) 20:04, 11 November 2017 (UTC)

A password hash is basically a password, except it's impossible to remember. How would that help? If you care about your account being lost, set an email address and keep it up to date. If someone can't be trusted to do that, it's hard to imagine they would keep better track of their identity hash. +1 to nagging people with significant editcount to set/update their email address instead. (Also, maybe allow setting a secondary recovery email address?) --Tgr (WMF) (talk) 04:52, 19 November 2017 (UTC)

I'm not a fan of the proposed alternative recovery methods. Perhaps something like adding a phone number might make sense, although that's also not without its flaw in terms of people stealing other people's phone numbers. BWolff (WMF) (talk) 22:49, 28 November 2017 (UTC)

It is now well established that SMS is not secure enough for 2FA, but using it (or voice calls) for password recovery would be even more dangerous as not even the password would be required to break into an account. Admittedly, intercepting and redirecting messages or calls may be well beyond the abilities of a regular script-kiddie, but that's not the only group of possible attackers. This may in particular put people living in countries with oppressive regimes under especially high risk. Of course, entering a phone number may (and should) be optional, but still not everyone would be aware of the security implications, with many people happily assuming that nobody else should be able to read their text messages or hear their voice calls. Last but not least, by implementing something like this, we'll be going in the exact opposite direction of where everyone else is going nowadays (or should/will sooner or later be going, anyway).
โ€” Luchesar โ€ข T/C 23:18, 28 November 2017 (UTC)
  • Better look into how proofs are done at Keybase. You can use multiple proofs to verify an identity, and if the proofs gives a sufficiently high trust, then revoke of credentials can be initiated. Please don't use SMS, but if you do, ask for an alternate return path. Note also that if an attacker asks for new credentials, then he already has a working attack vector for the special page at Wikipedia. โ€” Jeblad 01:18, 11 December 2017 (UTC)

Voting

  • Support Support David1010 (talk) 11:03, 28 November 2017 (UTC)
  • Support Support --Liuxinyu970226 (talk) 13:09, 28 November 2017 (UTC)
  • Oppose Oppose Regular reminders of emails and messages are good, the answer or hash to restore is not safe. Third party login (OAuth) can be reviewed. There is no more reason to retrieve a lost account.--YFdyh000 (talk) 14:51, 28 November 2017 (UTC)
  • Oppose Oppose While I recognize the issue, the suggested alternatives are not safe. I would be much more in favour of a solution where (selected) admins / power users can directly set a new password for users who cannot request a new password via mail. --Rcdeboer (talk) 15:23, 28 November 2017 (UTC)
  • Support Support Thomas Obermair 4 (talk) 22:00, 28 November 2017 (UTC)
  • Symbol oppose vote oversat.svg Strong oppose โ€œSecret questionsโ€ are a disaster from security standpoint, especially if they would be mandatory. +1 for promoting use of e-mails and possibly also committed identity. The latter should also help when an account had already been overtaken by an adversary, though, admittedly, it's not exactly very user friendly (extending the documentation might help somewhat here). After all, the only safe user is the one who is aware of the security hazards around and makes reasonable effort to protect themselves. If they can't be bothered to do this, well, it's an indication that they don't value their (current) account that much anyway. And Wikipedia isn't like a cloud storage or web-based e-mail where a lost account means also lots of lost information, too (users with special rights, e.g. sysops, are obviously a different case, but the elevated rights do also come with an expectation of an elevated level of responsibility, so such users actually have no excuse to be lazy about keeping their accounts safe). โ€” Luchesar โ€ข T/C 22:27, 28 November 2017 (UTC)
  • Support Support Sebastian Wallroth (talk) 07:31, 29 November 2017 (UTC)
  • Support Support (only Two factor authentication) ZellmerLP (talk) 22:18, 29 November 2017 (UTC)
  • Oppose Oppose Not safe! --Kusurija (talk) 22:21, 29 November 2017 (UTC)
  • Support Support ืงื•ื‘ืฅ ืขืœ ื™ื“ (talk) 12:37, 30 November 2017 (UTC)
  • Support Support Support the concept (better recovery), not any particular implementation. Nabla (talk) 23:27, 1 December 2017 (UTC)
  • Oppose Oppose the proposed solutions, but do support the idea of finding other ways for people to reset their accounts. ๐Ÿ˜‚ (talk) 01:32, 2 December 2017 (UTC)
  • Oppose Oppose (Support Support reminding users about their email and stressing that they should add an email tho.) --Terra โค (talk) 07:04, 2 December 2017 (UTC)
  • Oppose Oppose --Termininja (talk) 17:10, 2 December 2017 (UTC)
  • Symbol oppose vote oversat.svg Strong oppose, as secret questions would compromise the security of the accounts using them and the project itself when used by users holding relatively advanced permissions. --Kostas20142 (talk) 18:30, 3 December 2017 (UTC)
  • Support Support Could consider GPG keys verification, SSH key pair verification, or other methods, passwords are a bit 1990s perhaps? Gryllida 00:47, 4 December 2017 (UTC)
  • Oppose Oppose per above - It's not hard to find someone on a website and even if they don't have their Mums name on a website it can still be found by other means. โ€“Davey2010Talk 17:14, 4 December 2017 (UTC)
  • Oppose Oppose no 'secret' questions. I'd support if it were sending password recovery by text or something. NessieVL (talk) 19:26, 5 December 2017 (UTC)
  • Support Support the general concept of improved password reset options, but like others, concerned about some of the specific solutions, so not necessarily supporting any specific solution.--Sphilbrick (talk) 15:16, 6 December 2017 (UTC)
  • Oppose Oppose secret question makes account more prone to be compromised because people will use simple family/personal/work related answers so as not forget and these data is easier to be compromised by several methods. This is good faith proposal, but its effect will create more problem than it intend solves. Ammarpad (talk) 10:50, 7 December 2017 (UTC)
  • Symbol oppose vote oversat.svg Strong oppose, As I already had many unrecoverable problems with all these methods (secret questions, mobile etc.) in other communities and sites. We just have to warn user that without email is probably unlike to recover hers/his password. --Xoristzatziki (talk) 20:51, 9 December 2017 (UTC)
  • Oppose Oppose Klaas `Z4โŸ` V:  22:23, 10 December 2017 (UTC) one would create a possibility to hack user/pw combinations
  • Support Support Ldorfman (talk) 16:54, 11 December 2017 (UTC)
  • Oppose Oppose, I think my mother's maiden name or my father's middle name are way easier to find out (our harassers have found information that was hidden much better) than to hack my email โ€” NickK (talk) 17:16, 11 December 2017 (UTC)