Talk:Community Tech/LoginNotify

From Meta, a Wikimedia project coordination wiki
Jump to: navigation, search

"Sticky" notification[edit]

I know this may be a little late to ask, but would it be possible to make sure the notification stays "new" for, say, a week? It's possible the IP did successfully login after a few failed attempts, checked the notification so it didn't appear to the real owner of the account, and then went on their merry way for one reason or another. I'm not the kind of person that checks notifications if I don't have an alert saying I have new notifications. If it was impossible for someone to login to my account and then was unable to check the notification as read, I would know immediately the next time I logged in to change my password. Without this, I probably wouldn't know about any failed login attempts until I was blocked as a compromised account. If I'm not mistaken, in general, compromised accounts aren't unblocked without very good reason on enwiki. (I do have a committed identity setup there, but what if I didn't?) Gestrid (talk) 04:03, 7 April 2017 (UTC)

Thanks for your reply. Having a sticky notification can be annoying to users who check their notifications frequently and like to have an empty notification counter. Also this functionality does not currently exist with our notification system and would require quite some time and effort to build. If you feel strongly about this, please feel free to request this in the next wishlist survey. Thank you! -- NKohli (WMF) (talk) 20:25, 21 August 2017 (UTC)

Why is it believed to be a good idea to have a link to a password change tool?[edit]

To me it seems like the general best practice for managing passwords is that when a user get's an unsolicited email with a link that asks him to enter passwords, the user generally shouldn't follow the link. Training a user with the idea that serious websites send links like that increases the chances that the user will fall victim to a phishing attack. ChristianKl (talk) 10:08, 15 May 2017 (UTC)

I agree that we want to have a responsible design, but in this feature's case I don't see this as causing any problems. There are two password change tools: 1) When you forget your password and cannot log in it can be recovered via Special:PasswordReset which sends an email. 2) If you know your password and want to update your password you can do so without an email via Special:ChangeCredentials. These Echo notifications only appear when you're logged-in, therefore users will be taken to Special:ChangeCredentials which does not use an email.
This doesn't address Special:PasswordReset relying on email, but it is a solicited email. And definitely outside the scope of this specific project. Something to chew on, though... — Trevor Bolliger, WMF Product Manager 🗨 16:35, 15 May 2017 (UTC)

Tyop[edit]

I hope you fixed the typo in the alert message: "There have been have been". Yngvadottir (talk) 17:04, 19 August 2017 (UTC)

Thanks for pointing that out! Fixed now. Will be visible on the sites within a few days. -- NKohli (WMF) (talk) 20:20, 21 August 2017 (UTC)

Unified login[edit]

(How) does this play together with SUL? I.e.: I have the notification for logins from an unknown device enabled on German Wikipedia, but nowhere else. Will I still get notified when somebody logs into my account in some other project? Or at least when he then visits German Wikipedia and is logged in there automatically? --Schnark (talk) 08:05, 21 August 2017 (UTC)

Yes, you'll get cross-wiki notifications if someone tries to login to your account on any project. -- NKohli (WMF) (talk) 20:22, 21 August 2017 (UTC)
As far as I understand, cross-wiki notifications only work for web notifications, so this won't work for the "Login from an unfamiliar device" notification, which is an email only notification. --Schnark (talk) 06:54, 22 August 2017 (UTC)

Hi! :) I'm wondering about this too… Do we have to enable email notifications for unsuccessful logins and logins from unknown devices on every single Wikimedia website? If it's enough for an attacker to pick any Wikimedia website which does not appear in Special:CentralAuth for the targeted user, it kind of defeats this otherwise awesome security feature… Thanks! — Arkanosis 17:02, 25 August 2017 (UTC)

Due to popular demand, we ended up making them on by default across all wikis. So now they'd work for all wikis. Let me know if it doesn't work for you. Thanks. -- NKohli (WMF) (talk) 22:53, 10 October 2017 (UTC)

Was not notified[edit]

I activated all loginnotify options in preferences, then used a private window of my web browser to login again with a false password. Now, minutes later, I still got not notified? --𝔊 (Gradzeichen DiſkTalk) 07:48, 22 August 2017 (UTC)

That's because your IP address is a known IP. You'd have to change your IP address in addition to using a private browser window. -- NKohli (WMF) (talk) 22:16, 23 August 2017 (UTC)

IP address of unsuccessful attempts[edit]

Three days ago I had 3 unsuccessful attempts to login with my username. I had simular problems in may and april, and it could be the same user. Is it possible to get the IP address of unsuccessful attempts? --Superikonoskop (talk) 15:45, 28 August 2017 (UTC)

Given that the password reset emails you get specify the IP address, I think it would make sense for this one to as well. — Scott talk 11:52, 8 September 2017 (UTC)
There'a s ticket about it and we'll try to prioritise it over the next few weeks. Thanks. -- NKohli (WMF) (talk) 22:51, 10 October 2017 (UTC)

"Multiple" failed attempts[edit]

Contrary to the description given here of the feature, I only have notifications that say "multiple failed attempts" (and a lot of them, possibly due to my simple user name and/or admin status - 12 of them in one day recently). That seems less useful than indicating whether it was 5, 10, or so on. — Scott talk 22:12, 6 September 2017 (UTC)

I don't personally see how "10" is more useful than "multiple". The idea was to not panic the user(s) but nonetheless there does seem to be panic. In one case someone got 400+ attempts on a single day. Showing them that number doesn't seem like a great idea. It's not helpful in any case to them. Note that the number count on the Echo Notification icon correctly indicates the number of attempts (if that is the only notification you have). -- NKohli (WMF) (talk) 22:51, 10 October 2017 (UTC)

Getting failed login attempt notification[edit]

I have been receiving this notification for several weeks now. My account is being logged in by some anonymous person. there have been over 50 failed attempt to login since 2 days and a total of 100 failed attempts since 16 days. Please help me and guide me what to do. I have a strong password. Will I need to change this in daily basis? --Kskhh (talk) 09:20, 28 September 2017 (UTC)

@Kskhh: These notifications are designed to raise your awareness if someone is trying to gain access to your account. There's nothing that can be done to stop the person from continual attemps. If you're satisfied with the strength of your password and these notifications are annoying, you can disable them at Special:Preferences#mw-prefsection-echo for the problematic wiki. If you're concerned about your account security, you can enable two factor authentication by visiting Special:Two-factor_authentication. — Trevor Bolliger, WMF Product Manager 🗨 15:48, 28 September 2017 (UTC)

False warnings: Discontinue notifications[edit]

Other users and I have been getting loads of false positives: warnings that a different device was used for a log-in when in fact we were using our same computers all along. Maybe the IPs have changed, but certainly not the devices. So, first, the email notification text should be adapted to properly describe whatever it's supposed to be warning about.

Second, the link to switching off further such notifications should be more visible. I totally overlooked it several times and finally posted on Wikipedia for help to switch them off... just to find out that other users had done so before me. Which means I'm not the only blind Wikipedian around. Please place the link into the main text, and consider phrasing it to fit particularly to the notifications in question (not just to "any" notifications). Thanks.

Third, the amount of false positives actually makes the feature useless, if not a safety-risk: Yes, I've now switched off these notifications entirely because I'm sick of getting my mailbox cluttered with false positives. So when something really happens, I won't even know about it... (And other users were looking for the same "solution".) --Ibn Battuta (talk) 20:48, 11 October 2017 (UTC)

Hi Ibn Battuta, sorry it took me so long to respond. Can you tell me more about the notifications you've been getting? It'll help us troubleshoot the problem. I've got some questions, feel free to answer with whatever information you feel like sharing:
How many false warnings did you receive (or how often)? Was there any pattern that you could see -- for example, it always happened when you logged in from work/school, but not somewhere else? Were you using a laptop, desktop, or mobile device? Did you clear your cookies? Were you using incognito mode? Any information like that would really help.
Also, can you give me a link to the page where you asked about it, and saw other people were having the same problems? I'd like to ask other people about what they're seeing.
You make a really good point about having a more prominent "turn off notifications" link -- I'll look into adding a link into the text. Thanks for your feedback; I really appreciate it. -- DannyH (WMF) (talk) 23:26, 18 October 2017 (UTC)
I've filed a ticket to investigate the false positives reported here, and in a couple of German WP discussions. You can see that here: phab:T178619. -- DannyH (WMF) (talk) 20:45, 19 October 2017 (UTC)

helpless notice[edit]

I gave a login notice mail not long ago, but I can read anything useful from this message because of the word that someone had logined with your account. Like same function of some other website, the login notice mail maybe has some information that tells the user when and where the account was be logined ,such as login's time, the IP address and the characteristic sign of the login device. The useful information can be help to the user know or remember the login of the account, no just the dull notice. --Cwek (talk) 05:45, 19 October 2017 (UTC)