Talk:Community Tech/Password Reset Update

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search

Requesting Feedback for Password Reset Update[edit]

We've just launched the project page for Password Reset Update, and we want to hear from you! Do you agree with our analysis of the current system, as outlined on the project page? Is there anything critical that we mischaracterized or failed to include? How do you envision that we change the current system, based on this new preference? What risks should we consider? Let us know. Thank you! IFried (WMF) (talk) 00:15, 3 August 2019 (UTC)

You may be interested in this. Also, if your name shows as a red link here, please consider creating a global user page.

User:Jeblad User:-revi User:CKoerner (WMF) User:FlightTime User:Rschen7754 User:Tgr User:Mariogoods User:Sargoth User:Brainswiffer User:Nil Einne User:MusikAnimal (WMF) User:RolandUnger User:Alucard 16 User:NicoScribe User:Tacsipacsi User:Kpjas User:Pmlineditor User:Calvinballing User:JaventheAlderick User:Hwangjy9 User:Bestoernesto User:YFdyh000 User:Ifny User:DeltaQuad User:Whispering User:*Youngjin User:CodeLyoko User:Maimaid User:Daniel Case User:AfroThundr3007730 User:Insertcleverphrasehere User:By erdo can User:Seb35 User:Wuyouyuan User:Gce User:Hmxhmx User:Matěj Suchánek User:Sannita User:Jdforrester User:Cybularny User:Dungodung User:Œ̷͠²ð·¨´´̢́̕͘³͏¯̞̗ User:Lirazelf User:Tommyang User:Jackmegill User:Nihlus User:Framawiki User:Arian User:Stevenmitchell User:Ayoub Fajraoui User:JopkeB User:Bencemac User:Tisfoon User:Omotecho User:Ohwowchow User:Novak Watchmen User:CAPTAIN RAJU User:Andrewredk User:Rachel Helps (BYU) User:Tiputini User:Vulphere User:Iridescent User:Ajraddatz User:PlyrStar93 User:Kb03 User:Courcelles User:Shizhao User:Stryn User:Poya-P User:Continua Evoluzione User:Fatemi User:Bruce1ee User:Draceane User:Teseo User:Hydriz User:فرهنگ2016 User:Jules78120 User:책읽는달팽 User:Temp3600 User:Mz7 User:TonyBallioni User:Wunkt2 User:Yoav Rafalin User:Hadibe User:Bellezzasolo User:Cohaf User:SshibumXZ User:Mehdi User:Yamaha5 User:JAn Dudík User:Tks4Fish User:Helland User:Pythoncoder User:Ladsgroup User:Aristeas User:Cabayi User:X-Savitar User:Victor Schmidt User:Yilku1 User:Winged Blades of Godric User:Zoranzoki21 User:Martin Urbanec User:1997kB User:علاء User:水瀬悠志 User:Ammarpad User:Acamicamacaraca User:Kpgjhpjm User:Jimmyshjj User:4nn1l2 User:Andrew J.Kurbiko User:Hiàn User:Liuxinyu970226 User:Ellery User:チルノ User:Dolotta User:Braveheidi User:Super Wang User:Vermont User:George Ho User:XXBlackburnXx User:Jkmartindale User:MER-C Whatamidoing (WMF) (talk) 18:13, 6 August 2019 (UTC)

  • Hello! Your analysis seems correct to me. Requesting username and email adress seems like a good idea: it should be able to mitigate most of the abuses of password reset feature (except for users who publish their email adresses on their user pages—but this is up to them). Kind regards, Jules78120 (talk) 18:29, 6 August 2019 (UTC)
  • I might be able to add some insights to the analysis. The 24-hour restriction, if exists, only applies to a single wiki to my knowledge. In other words, if a user has local accounts at several wikis and SUL-ed into a global account, password resets can be made at a different wiki if the person who resets triggered the 24-hour limit at one wiki. As a result this restriction can be easily circumvented, especially if the targeted user has hundreds of local accounts under the SUL-ed account. In any way, I would welcome the option to require both username and correct email address entered to be able to reset password. This can be unchecked by default in case some people don't feel like remembering which email address they use to connect to their accounts, and only people who think need it will opt-in. -★- PlyrStar93 Message me. 18:39, 6 August 2019 (UTC)
@PlyrStar93: Thank you for the clarification regarding the 24 hour restriction. You are correct that users can circumvent this restriction by simply generating password reset requests on different wikis. I have updated the project page with this information. Much appreciated. IFried (WMF) (talk) 20:39, 7 August 2019 (UTC)
  • I'd agree with PlyrStar93—I think it would make sense to have some kind of opt-out from "enter your email" recovery. Some people have dozens of email accounts, and the combination of forgetting which one was used to register and a 24-hour limit between attempts could become very frustrating. Provided people are willing to check an "I understand that I may be bombarded with reset messages and I know not to panic" box, I see no issue with allowing people to opt in to the old system. Iridescent (talk) 19:04, 6 August 2019 (UTC)
  • The 24 hour limit can make it very time-consuming to try to recover a working password, not sure if it is a good idea. You want a time limit that block brute force attack, yet allow for some trial and error. Usually a time limit is used together with a few attempts to offset this problem. Knowing an email address is no real hurdle, and it can actually be beneficial for an attacker to be able to prod the system. Your email address is a control question, and an extremely weak one. Due to a lot of dumps of emails being available for download an attacker knows a set of possible email addresses. Also most users has a username that reflects in their email address. With this system it is possible to test which one is correct. An attacker test which address is correct, and then attack the email provider. That is bad, you should not expose the email address or any way make it possible to infer what it is. You need some kind of information only the correct user will know, but an attacker will never know, and can't find out easily on the net. Typically this is a control question like “what was the name of your first dog”. (This is quite similar to a question “what is the 3rd scratch code”, but a fairly weak one. Also, an alternate control question should be 2fa code from an app or a scratch code.) You should not use this question to accept a password reset, only to progress with the reset. And you should not inform on the page whether the answer is correct or not, just post an “thank you – we may have forwarded a challenge to the stored email address”. The email with a password reset link can then be sent to the user. Remember to use a short timeout for the link, a 7 day timeout is way to long, and make it depend on the control question. Some system place the control question on the final page. That makes it possible to harass users, but is more secure. It is also possible to use two control questions, one for each page. Remember to hash the answers to the control questions. This is in case someone err and the answers are leaked. Two rather weak control questions can give a fairly strong system, but then the final outcome must use both answers. Just landing on the second page and guessing the control question should not be enough, but you can carry over a token that provide sufficient information about the first challenge. Do not rotate control questions between the first and second page, that would allow the attacker to solve each question separately. I've seen systems that uses two control questions on the second page for increased security, but I'm not sure it is necessary for WMF. — Jeblad 20:12, 6 August 2019 (UTC)
  • Hi. I completely agree with your analysis, and think that users must input a valid combination of username and email address to reset password. And isn't 24 hrs too long? 12 hrs is fine to me. Or users must answer question(s) they set before. --Super Wang hates PC You hate, too? 00:10, 7 August 2019 (UTC)
  • Completely agree with your analysis.--Vulphere 05:28, 7 August 2019 (UTC)
  • I agree that the current system of providing either a username or email is far too easy to abuse. This is especially true when targeting high-profile users, who may be getting bombarded constantly with these reset emails. Adding the option to require both pieces of info would make it significantly more difficult for an account to be targeted by such an attack. However, this feature should be strictly opt-in, as such attacks are not that common and don't affect the average user that much. Meanwhile the aforementioned high-profile users for whom this is a problem can simply opt-in by checking a box in their preferences. There are also accessibility reasons for why you'd want to allow the old behavior by default (e.g. users only remember one or the other, helping someone else initiate a reset re: ACC, etc.) which are scenarios that should not be discounted or ignored. Besides, trying to make this opt-out wouldn't even work that well, since we don't make setting an email mandatory in the first place, and arbitrarily auto-enabling this feature when a user does add an email to their account would be non-obvious and violates the Principle of least astonishment when they do need to finally do a password reset. — AfroThundr (u · t · c) 05:51, 7 August 2019 (UTC)
  • I agree that requesting username and email address looks like a good idea. --Aristeas (talk) 08:11, 7 August 2019 (UTC)
  • This is very cool. Zoranzoki21 (talk) 22:28, 7 August 2019 (UTC)
  • I agree that requesting, and that's right purposes. i think 2FA users, maybe have keys - so asked they token for password reset. also if not 2FA, Accordingly system is needed --책읽는달팽 (User talk) 08:42, 8 August 2019 (UTC)
  • Everything's ok, I'd just add that (at least from my experience) the other main reason why somebody would want to reset somebody else's password is that the user is an admin. In other words, it's a very basic (and ineffective) attempt at spoofing their password. --Sannita - not just another it.wiki sysop 10:33, 8 August 2019 (UTC)

Follow-up After Initial Feedback[edit]

Pinging everyone who commented:@Jules78120, PlyrStar93, Iridescent, Jeblad, Super Wang, Vulphere, AfroThundr3007730, Aristeas, Zoranzoki21, 책읽는달팽, and Sannita:

Everyone, thank you so much for your feedback so far! We’re excited to begin this project, and your feedback has helped us think through some preliminary considerations (technical, security, and user-focused). With that in mind, we have two follow-up questions for the community:

  • In what circumstances would you want to opt-out of this preference?
  • Do you have multiple usernames associated with one email address?

Also, regarding the 24 hour wait period: This restriction only applies to users who can’t reset the password (since they don’t have access to the associated email address). If users reset their passwords, they can reset their password again, with no 24 hour wait period. For this reason, we don’t believe that this restriction hinders good faith users from resetting their passwords. However, it does prevent harassment. The 24 hour restriction is not within the scope of the request, as it’s different in focus and nature, as well. We'll update the project page with this information.

In summary, we would love to hear feedback (regarding the questions we have posed, along with any other topics or concerns). Thanks! IFried (WMF) (talk) 17:29, 20 August 2019 (UTC)

I would think almost anyone with admin status on any project will have more than one account associated with their email address; it would be virtually impossible to operate otherwise, since it's both impractical and undesirable to log on from a phone or a public terminal from an admin account unless that admin account's security is so lax it would likely constitute grounds for desysopping. If there's even a suggestion that it won't be possible in future for a user to have multiple accounts, I can virtually guarantee that at minimum en-wiki, de-wiki and Commons will refuse to accept any change.Iridescent (talk) 19:59, 20 August 2019 (UTC)
I agree with Iridescent on the multiple accounts per email part. I'm not an admin and only have minor permissions on enwiki, but I also have an alt for testing and a bot account linked to this email address. It's handy to not have to setup multiple email accounts (or aliases) for this purpose. And I believe my comment in the section above covered the first question as to why the extra security should be strictly opt-in instead. — AfroThundr (u · t · c) 04:11, 21 August 2019 (UTC)
Hi, I wouldn't opt out of this but I can think of some people who use multiple emails and have been struggling with remembering which one they use for which account (Wikimedia or elsewhere) might opt out. I don't operate multiple usernames at Wikimedia now and didn't know if it's possible to associate one email with more than one Wikimedia account, but makes sense to me if it is. -★- PlyrStar93 Message me. 13:34, 21 August 2019 (UTC)
As per all the others who answered here. Also, is this system going to affect users who activated 2FA on their usernames? Sannita - not just another it.wiki sysop 16:38, 23 August 2019 (UTC)
Per above. I have a bot account which uses the same email adress, for example. I do not see any reason to opt-out for "experimented/regular users" (who are the most subject to reset password requests harassment): the risk of forgetting both email adress and password is very very low. Kind regards, Jules78120 (talk) 16:07, 24 August 2019 (UTC)

Everyone, thank you for the feedback so far! The details, as related to multiple accounts per email address and opt-in vs. opt-out, were really helpful. We're now conducting an investigation to look into many of the topics discussed here (i.e. how changes will impact general users and 2FA-enabled accounts, security concerns, opt-in vs. opt-out, and other considerations). Once we have finished this investigation, we'll share some of our findings and proposed next steps with the community. IFried (WMF) (talk) 00:24, 24 August 2019 (UTC)