Community Wishlist Survey 2019/Anti-harassment/Add an option to require email address and username to reset password

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
Random proposal ►

 ◄ Back to Anti-harassment  The survey has concluded. Here are the results!


  • Problem: Trolls and LTAs have been knocking Special:PasswordReset with the intention of trolling and (currently) this cannot be prevented. Then I get password reset I did not request. While I know I have secure password (and 2FA) on both my SUL accounts and my email, it's annoying so it'd better if I can just prevent them. It sometimes gives the impression to ordinary users that their account is being compromised, which is not a good UX.
  • Who would benefit: Those who gets spammed with false password reset
  • Proposed solution: Have a OPT-IN checkbox on Preferences, turned off by default. The checkbox will require you to enter your registered email address AND your username to get a password reset. When you set this up, you know your email address, but trolls don't.
  • More comments:
  • Phabricator tickets: phab:T145952
  • Proposer: — regards, Revi 10:38, 4 November 2018 (UTC)

Discussion[edit]

  • When I can use different mailadresses and I have forgotten which one is necessary for passwort reset? There should be a separate option to send a confirmation mail to the adress used.--Brainswiffer (talk) 07:24, 17 November 2018 (UTC)
    • That is not part of this vote. — regards, Revi 07:29, 17 November 2018 (UTC)
    • Currently, you just need to know one of the following: "Email address used for the account" OR "user name", so technically you do not need to know email address to send password reset. But this is being actively abused and one steward I know gets 20 passwords per week (or day, I don't recall). With my proposal, people who voluntarily choose to enforce strict requirement will need to know both "email address used for the account" AND "user name". It's a big difference. Since the change is supposed to be opt-in (you have to click a check box on Preferences, and save it - it is not enabled by default when you register or suddenly forced when you sign in) most ordinary users do not need to take any actions. — regards, Revi 08:08, 17 November 2018 (UTC)
  • Without going into all reasons why this does not work, this doesn't really work even if it is quite common. A real solution is based upon something an attacker can't know, not something that is just a little bit hard to know. So instead of using a mailaddress as the additional information you use one-time scratch codes, and store them as hash codes on the server. That means only the user knows the real scratch codes, but also that the user requesting the scratch codes must keep them safely. — Jeblad 08:05, 18 November 2018 (UTC)
Given our position on 2FA expansion and number of people losing 2FA & scratch code, that is not a solution as well. — regards, Revi 08:31, 18 November 2018 (UTC)
Sorry, but scratch codes are the only solution that works and can be proven to be secure. Email and SMS is not secure, and using those for reacquiring credentials can be circumvented. The ting you use to identify yourself can not be anything an attacker can know or easily regenerate. That include all kinds of smart questioning, means of communication, etc.
Note that the present implementation of 2FA at WMFs servers are defacto a single factor login. I leave it to the reader to figure out why.
Anyhow, there are a lot of information available about this, so it should be unnecessary to argue about it. — Jeblad 09:38, 18 November 2018 (UTC)
  • @Jeblad: you seem to be confusing security measures and anti-harrassment measures (and probably many other things too, judging from your single factor remark, but that's off topic here). Security-wise, we are worried about an attacker looking for vulnerable accounts (and not one specific account, as there isn't really any reason for an attacker to limit themselves to one), and it is always easy to find accounts with public email addresses. It does not matter though as the security of password reset does not rely on the email address being secret, or the attacker not being able to request password reset; it relies on the attacker not having access to the target's emails. Harrassment-wise, on the other hand, we are worried about the attacker targeting one specific user, whose email address is not known (if it is known the attacker has more direct ways of harassing them so they need to fix that first), so the idea proposed here works just fine. --Tgr (talk) 22:12, 25 November 2018 (UTC)
I'm probably quite stupid, but please discuss the facts, not the persons. This proposal is about a concrete implementation, and that implementation does not work. It fails on the assumption that "it relies on the attacker not having access to the target's emails." A determined attacker will only request a password reset by a specific communication system if he has access to that system. Whether that would be email, SMS, or whatever does not matter. — Jeblad 10:02, 26 November 2018 (UTC)
I don't think Tgr was saying you're stupid. Just confused. After I read your comments I get het impression that you are conflating security (the protection of authentication and access) with anti-harassment (making it difficult for jerks to bother an individual). Both are important. This proposal is in the latter category. It's about stopping people from spamming someone with password reset email notifications over-and-over, not about making the securing of an account stronger. I agree as a security proposal this would not have much impact, but as an anti-harassment proposal it's helpful for a lot of users. I get these false-positive emails with my staff account. Makes my heart jump into my throat a little each time. :) I'd gladly opt-in to this feature to make it a little more difficult for folks to mess with me. CKoerner (WMF) (talk) 16:18, 26 November 2018 (UTC)
Thank you for pointing out that I'm not stupid, just confused. I'll tell the professor next time that his ideas about tokens that are physical inaccessible for an attacker is a pretty dumb and confused idea. — Jeblad 20:42, 27 November 2018 (UTC)
I'm sorry my attempt at clarification frustrated you. I was just trying to help. CKoerner (WMF) (talk) 16:40, 29 November 2018 (UTC)
  • With a caveat: this is not foolproof. Many Wikimedia email addresses are easily guessed, or if you are a list-admin to a Wikimedia mailing list the information is out there. --Rschen7754 07:52, 26 November 2018 (UTC)
    • I assume there's no requirement that your list-admin email is the same as your wikimedia account email right? If so, with gmail and any similar systems you could easily use the plus trick to generate an email address that the attacker won't be able to guess unless you've contacted them over wikipedia email before while keeping everything together. e.g. use rschen7754+wikipedia7754@gmail.com for your wikimedia email. You can just replace your email address in wikimedia if it ever becomes public somehow. Of course you will either have to remember it or make sure you keep a record of the address e.g. by making sure you don't delete emails to that address in the account it belongs to. Nil Einne (talk) 12:40, 1 December 2018 (UTC)

Voting[edit]

  • Support Support MER-C (talk) 18:59, 16 November 2018 (UTC)
  • Support Support James Martindale (talk) 19:22, 16 November 2018 (UTC)
  • Support Support XXBlackburnXx (talk) 20:15, 16 November 2018 (UTC)
  • Support Support George Ho (talk) 20:30, 16 November 2018 (UTC)
  • Support Support This should definitely be added and would be extremely useful to those of us who receive a good amount of password reset emails. Vermont (talk) 21:33, 16 November 2018 (UTC)
  • Support Support See above. Super Wang on zhwiki (Share your opinions) 23:55, 16 November 2018 (UTC)
  • Support Support Braveheidi (talk) 01:05, 17 November 2018 (UTC)
  • Support Support Dolotta (talk) 01:07, 17 November 2018 (UTC)
  • Support Support New visitor (talk) 02:02, 17 November 2018 (UTC)
  • Support Support Ellery (talk) 02:38, 17 November 2018 (UTC)
  • Support Support Liuxinyu970226 (talk) 03:38, 17 November 2018 (UTC)
  • Support Support Hiàn (talk) 04:44, 17 November 2018 (UTC)
  • Support Support Andrew J.Kurbiko (talk) 05:15, 17 November 2018 (UTC)
  • Support Support 4nn1l2 (talk) 05:27, 17 November 2018 (UTC)
  • Support Support Jimmyshjj (talk) 06:06, 17 November 2018 (UTC)
  • Support Support Kpgjhpjm (talk) 07:37, 17 November 2018 (UTC)
  • Support Support Acamicamacaraca (talk) 08:09, 17 November 2018 (UTC)
  • Support SupportAmmarpad (talk) 08:41, 17 November 2018 (UTC)
  • Support Support Because there is a possibility that it can be misused with only one element. 水瀬悠志 (talk) 09:32, 17 November 2018 (UTC)
  • Support Support --Alaa :)..! 10:39, 17 November 2018 (UTC)
  • Support Support ‐‐1997kB (talk) 11:07, 17 November 2018 (UTC)
  • Support Support Martin Urbanec (talk) 13:45, 17 November 2018 (UTC)
  • Support Support Zoranzoki21 (talk) 13:51, 17 November 2018 (UTC)
  • Support Support Winged Blades of Godric (talk) 16:01, 17 November 2018 (UTC)
  • Support Support Yilku1 (talk) 16:38, 17 November 2018 (UTC)
  • Support Support As Im patrolling recent changes on dewiki, I frequently get such mails from IPs who want to say ironically thanks for reverting their vandalism Victor Schmidt (talk) 16:58, 17 November 2018 (UTC)
  • Support Support Alangi Derick (talk) 17:11, 17 November 2018 (UTC)
  • Support Support Cabayi (talk) 17:22, 17 November 2018 (UTC)
  • Support Support Aristeas (talk) 17:31, 17 November 2018 (UTC)
  • Support Support Amir (talk) 18:49, 17 November 2018 (UTC)
  • Symbol strong support vote.svg Strongest possible support Definitely a good idea — pythoncoder (talk | contribs) 19:21, 17 November 2018 (UTC)
  • Support Support Helland (talk) 19:51, 17 November 2018 (UTC)
  • Support SupportThanks for the fish! talkcontribs 19:55, 17 November 2018 (UTC)
  • Support Support JAn Dudík (talk) 20:00, 17 November 2018 (UTC)
  • Support Support Yamaha5 (talk) 20:34, 17 November 2018 (UTC)
  • Support Support MehdiTalk 20:37, 17 November 2018 (UTC)
  • Support Support Seems to be a great solution to a seemingly long-standing problem on Wikipedia. SshibumXZ (talk) 21:04, 17 November 2018 (UTC)
  • Support Support obviously yes Cohaf (talk) 21:09, 17 November 2018 (UTC)
  • Symbol strong support vote.svg Strongest possible support Seems like a great idea. Redactyll (talk) 17:31, 17 November 2018 (UTC)
  • Support Support Bellezzasolo (talk) 21:50, 17 November 2018 (UTC)
  • Support Support --Hadibe (talk) 22:10, 17 November 2018 (UTC)
  • Support Support Wunkt2 (talk) 02:47, 18 November 2018 (UTC)
  • Support Support TonyBallioni (talk) 03:53, 18 November 2018 (UTC)
  • Support Support The fact that it is opt-in makes it very easy to support this. Mz7 (talk) 03:53, 18 November 2018 (UTC)
  • Support Support Temp3600 (talk) 05:49, 18 November 2018 (UTC)
  • Support Support 책읽는달팽 (User talk) 07:47, 18 November 2018 (UTC)
  • Symbol oppose vote oversat.svg Strong oppose Wrong solution. [And I'm dumb and confused that say so.] — Jeblad 08:05, 18 November 2018 (UTC)
  • Support Support Jules78120 (talk) 09:50, 18 November 2018 (UTC)
  • Support Support فرهنگ2016 (talk) 10:41, 18 November 2018 (UTC)
  • Support Support Hydriz (talk) 14:25, 18 November 2018 (UTC)
  • Support Support Massimo Telò (talk) 14:46, 18 November 2018 (UTC)
  • Support Support — Draceane talkcontrib. 17:41, 18 November 2018 (UTC)
  • Support Support Bruce1ee (talk) 18:06, 18 November 2018 (UTC)
  • Support Support Fatemi 18:53, 18 November 2018 (UTC)
  • Support Support Continua Evoluzione (talk) 19:50, 18 November 2018 (UTC)
  • Support Support Poya-P (talk) 20:54, 18 November 2018 (UTC)
  • Support Support Stryn (talk) 21:35, 18 November 2018 (UTC)
  • Support Support Shizhao (talk) 02:36, 19 November 2018 (UTC)
  • Support Support Courcelles 15:03, 19 November 2018 (UTC)
  • Support Support Rschen7754 19:27, 19 November 2018 (UTC)
  • Support Support Kb03 (talk) 00:48, 20 November 2018 (UTC)
  • Support Support Reasonable proposal to enhance account security, opt-in is also a good solution in case some other people don't like it for whatever reason. -★- PlyrStar93 Message me. 01:02, 20 November 2018 (UTC)
  • Support SupportAjraddatz (talk) 04:00, 20 November 2018 (UTC)
  • Support Support providing it's explicitly opt-in, and that there's still a mechanism to over-ride the "email is required" in extreme circumstances since there are circumstances where people will genuinely lose access to email accounts (the mail provider going bust, a rarely-used account being closed for inactivity, a work email for a job from which you've been fired). Making this the default would be a very bad idea.Iridescent (talk) 10:11, 20 November 2018 (UTC)
  • Support Support Vulphere 14:37, 20 November 2018 (UTC)
  • Support Support Tiputini (talk) 18:04, 20 November 2018 (UTC)
  • Support Support Rachel Helps (BYU) (talk) 19:05, 20 November 2018 (UTC)
  • Support Support Andrewredk (talk) 20:16, 20 November 2018 (UTC)
  • Support Support CAPTAIN RAJU(T) 22:30, 20 November 2018 (UTC)
  • Support Support Novak Watchmen (talk) 23:54, 20 November 2018 (UTC)
  • Support Support Ohwowchow (talk) 02:13, 21 November 2018 (UTC)
  • Support Support Omotecho (talk) 03:53, 21 November 2018 (UTC)
  • Support Support Tisfoon (talk) 06:11, 21 November 2018 (UTC)
  • Support Support Bencemac (talk) 08:15, 21 November 2018 (UTC)
  • Support Support JopkeB (talk) 08:51, 21 November 2018 (UTC)
  • Support Support Ayoub Fajraoui (talk) 09:31, 21 November 2018 (UTC)
  • Support Support Fine... Stevenmitchell (talk) 15:57, 21 November 2018 (UTC)
  • Support Support Arian Talk 18:36, 21 November 2018 (UTC)
  • Support Support Framawiki (talk) 19:42, 21 November 2018 (UTC)
  • Support Support Nihlus 22:14, 21 November 2018 (UTC)
  • Support Support Jackmegill (talk) 23:15, 21 November 2018 (UTC)
  • Support Support tOMG 05:37, 22 November 2018 (UTC)
  • Support Support Lirazelf (talk) 12:53, 22 November 2018 (UTC)
  • Support Support Tho I do not suffer from this problem, I see how this is a big issue to some editors. Solving this problem seems to have no downsides. ーTesser4D 【🅱alk】 17:33, 22 November 2018 (UTC)
  • Support Support This should be easy to do FiliP ██ 20:12, 22 November 2018 (UTC)
  • Support Support ~Cybularny Speak? 15:53, 23 November 2018 (UTC)
  • Support Support James F. (talk) 22:42, 23 November 2018 (UTC)
  • Support Support Sannita - not just another it.wiki sysop 00:27, 24 November 2018 (UTC)
  • Support Support Matěj Suchánek (talk) 08:39, 24 November 2018 (UTC)
  • Support Support Hmxhmx 09:56, 24 November 2018 (UTC)
  • Support Support Gce (talk) 19:03, 24 November 2018 (UTC)
  • Support Support Wuyouyuan (talk) 20:30, 24 November 2018 (UTC)
  • Support Support ~ Seb35 [^_^] 22:22, 24 November 2018 (UTC)
  • Support Support By erdo can • TLK 08:56, 25 November 2018 (UTC)
  • Support Support Easy fix for a longstanding problem. — Insertcleverphrasehere (or here) 11:40, 25 November 2018 (UTC)
  • Support Support It won't solve the problem forever, but it's a great idea to solve the problem. We have suffered from it a lot. Mariogoods (talk) 13:16, 25 November 2018 (UTC)
  • Support Support Tgr (talk) 22:12, 25 November 2018 (UTC)
  • Support Support — AfroThundr (u · t · c) 01:42, 26 November 2018 (UTC)
  • Support Support It's been a while since I got this kind of email, but I've always found them disconcerting. Daniel Case (talk) 06:01, 26 November 2018 (UTC)
  • Support Support --Maimaid (talk) 09:17, 26 November 2018 (UTC)
  • Support Support TheMesquito (talk) 15:06, 26 November 2018 (UTC)
  • Support Support CKoerner (WMF) (talk) 16:21, 26 November 2018 (UTC)
  • Support Support *Youngjin (talk) 17:20, 26 November 2018 (UTC)
  • Support Support Whispering (talk) 21:20, 26 November 2018 (UTC)
  • Support Support - FlightTime (open channel) 21:56, 26 November 2018 (UTC)
  • Support Support -- Amanda (aka DQ) 22:52, 26 November 2018 (UTC)
  • Support Support ifny (talk) 01:45, 27 November 2018 (UTC)
  • Support Support YFdyh000 (talk) 15:26, 27 November 2018 (UTC)
  • Oppose Oppose --Ciao • Bestoernesto 00:42, 28 November 2018 (UTC)
  • Support Support Hwangjy9 (talk) 07:54, 28 November 2018 (UTC)
  • Support Support JaventheAlderick (talk) 10:24, 28 November 2018 (UTC)
  • Support Support Calvinballing (talk) 14:43, 28 November 2018 (UTC)
  • Support Support Pmlineditor (t · c · l) 17:14, 28 November 2018 (UTC)
  • Support Support Kpjas (talk) 10:20, 29 November 2018 (UTC)
  • Support Support Seems quite easy, so hopefully Community Tech will have time to go beyond the top ten whishes. ;) Tacsipacsi (talk) 20:56, 29 November 2018 (UTC)
  • Support Support NicoScribe (talk) 11:25, 30 November 2018 (UTC)
  • Support Support Alucard 16 (talk) 15:32, 30 November 2018 (UTC)
  • Support Support RolandUnger (talk) 16:41, 30 November 2018 (UTC)