Talk:Community Tech/LoginNotify

From Meta, a Wikimedia project coordination wiki
Jump to: navigation, search

"Sticky" notification[edit]

I know this may be a little late to ask, but would it be possible to make sure the notification stays "new" for, say, a week? It's possible the IP did successfully login after a few failed attempts, checked the notification so it didn't appear to the real owner of the account, and then went on their merry way for one reason or another. I'm not the kind of person that checks notifications if I don't have an alert saying I have new notifications. If it was impossible for someone to login to my account and then was unable to check the notification as read, I would know immediately the next time I logged in to change my password. Without this, I probably wouldn't know about any failed login attempts until I was blocked as a compromised account. If I'm not mistaken, in general, compromised accounts aren't unblocked without very good reason on enwiki. (I do have a committed identity setup there, but what if I didn't?) Gestrid (talk) 04:03, 7 April 2017 (UTC)

Thanks for your reply. Having a sticky notification can be annoying to users who check their notifications frequently and like to have an empty notification counter. Also this functionality does not currently exist with our notification system and would require quite some time and effort to build. If you feel strongly about this, please feel free to request this in the next wishlist survey. Thank you! -- NKohli (WMF) (talk) 20:25, 21 August 2017 (UTC)

Why is it believed to be a good idea to have a link to a password change tool?[edit]

To me it seems like the general best practice for managing passwords is that when a user get's an unsolicited email with a link that asks him to enter passwords, the user generally shouldn't follow the link. Training a user with the idea that serious websites send links like that increases the chances that the user will fall victim to a phishing attack. ChristianKl (talk) 10:08, 15 May 2017 (UTC)

I agree that we want to have a responsible design, but in this feature's case I don't see this as causing any problems. There are two password change tools: 1) When you forget your password and cannot log in it can be recovered via Special:PasswordReset which sends an email. 2) If you know your password and want to update your password you can do so without an email via Special:ChangeCredentials. These Echo notifications only appear when you're logged-in, therefore users will be taken to Special:ChangeCredentials which does not use an email.
This doesn't address Special:PasswordReset relying on email, but it is a solicited email. And definitely outside the scope of this specific project. Something to chew on, though... — Trevor Bolliger, WMF Product Manager 🗨 16:35, 15 May 2017 (UTC)

Tyop[edit]

I hope you fixed the typo in the alert message: "There have been have been". Yngvadottir (talk) 17:04, 19 August 2017 (UTC)

Thanks for pointing that out! Fixed now. Will be visible on the sites within a few days. -- NKohli (WMF) (talk) 20:20, 21 August 2017 (UTC)

Unified login[edit]

(How) does this play together with SUL? I.e.: I have the notification for logins from an unknown device enabled on German Wikipedia, but nowhere else. Will I still get notified when somebody logs into my account in some other project? Or at least when he then visits German Wikipedia and is logged in there automatically? --Schnark (talk) 08:05, 21 August 2017 (UTC)

Yes, you'll get cross-wiki notifications if someone tries to login to your account on any project. -- NKohli (WMF) (talk) 20:22, 21 August 2017 (UTC)
As far as I understand, cross-wiki notifications only work for web notifications, so this won't work for the "Login from an unfamiliar device" notification, which is an email only notification. --Schnark (talk) 06:54, 22 August 2017 (UTC)

Hi! :) I'm wondering about this too… Do we have to enable email notifications for unsuccessful logins and logins from unknown devices on every single Wikimedia website? If it's enough for an attacker to pick any Wikimedia website which does not appear in Special:CentralAuth for the targeted user, it kind of defeats this otherwise awesome security feature… Thanks! — Arkanosis 17:02, 25 August 2017 (UTC)

Was not notified[edit]

I activated all loginnotify options in preferences, then used a private window of my web browser to login again with a false password. Now, minutes later, I still got not notified? --𝔊 (Gradzeichen DiſkTalk) 07:48, 22 August 2017 (UTC)

That's because your IP address is a known IP. You'd have to change your IP address in addition to using a private browser window. -- NKohli (WMF) (talk) 22:16, 23 August 2017 (UTC)

IP address of unsuccessful attempts[edit]

Three days ago I had 3 unsuccessful attempts to login with my username. I had simular problems in may and april, and it could be the same user. Is it possible to get the IP address of unsuccessful attempts? --Superikonoskop (talk) 15:45, 28 August 2017 (UTC)

Given that the password reset emails you get specify the IP address, I think it would make sense for this one to as well. — Scott talk 11:52, 8 September 2017 (UTC)

"Multiple" failed attempts[edit]

Contrary to the description given here of the feature, I only have notifications that say "multiple failed attempts" (and a lot of them, possibly due to my simple user name and/or admin status - 12 of them in one day recently). That seems less useful than indicating whether it was 5, 10, or so on. — Scott talk 22:12, 6 September 2017 (UTC)