Talk:Community Tech/Password Reset Update

We've just launched the project page for Password Reset Update, and we want to hear from you! Do you agree with our analysis of the current system, as outlined on the project page? Is there anything critical that we mischaracterized or failed to include? How do you envision that we change the current system, based on this new preference? What risks should we consider? Let us know. Thank you! IFried (WMF) (talk) 00:15, 3 August 2019 (UTC)[reply]

some youseing my info I need to Erase everything or change my password 2603:9001:3700:B360:25C7:73A8:4EB5:D410 09:00, 30 March 2024 (UTC)[reply]

Re I remember my forgot facebook password id support this is number+9779843904813 94.207.226.36 07:05, 6 April 2024 (UTC)[reply]

You may be interested in this. Also, if your name shows as a red link here, please consider creating a global user page.

User:Jeblad User:-revi User:CKoerner (WMF) User:FlightTime User:Rschen7754 User:Tgr User:Mariogoods User:Sargoth User:Brainswiffer User:Nil Einne User:MusikAnimal (WMF) User:RolandUnger User:Alucard 16 User:NicoScribe User:Tacsipacsi User:Kpjas User:Pmlineditor User:Calvinballing User:JaventheAlderick User:Hwangjy9 User:Bestoernesto User:YFdyh000 User:Ifny User:DeltaQuad User:Whispering User:*Youngjin User:CodeLyoko User:Maimaid User:Daniel Case User:AfroThundr3007730 User:Insertcleverphrasehere User:By erdo can User:Seb35 User:Wuyouyuan User:Gce User:Hmxhmx User:Matěj Suchánek User:Sannita User:Jdforrester User:Cybularny User:Dungodung User:Œ̷͠²ð·¨´´̢́̕͘³͏¯̞̗ User:Lirazelf User:Tommyang User:Jackmegill User:Nihlus User:Framawiki User:Arian User:Stevenmitchell User:Ayoub Fajraoui User:JopkeB User:Bencemac User:Tisfoon User:Omotecho User:Ohwowchow User:Novak Watchmen User:CAPTAIN RAJU User:Andrewredk User:Rachel Helps (BYU) User:Tiputini User:Vulphere User:Iridescent User:Ajraddatz User:PlyrStar93 User:Kb03 User:Courcelles User:Shizhao User:Stryn User:Poya-P User:Continua Evoluzione User:Fatemi User:Bruce1ee User:Draceane User:Teseo User:Hydriz User:فرهنگ2016 User:Jules78120 User:책읽는달팽 User:Temp3600 User:Mz7 User:TonyBallioni User:Wunkt2 User:Yoav Rafalin User:Hadibe User:Bellezzasolo User:Cohaf User:SshibumXZ User:Mehdi User:Yamaha5 User:JAn Dudík User:Tks4Fish User:Helland User:Pythoncoder User:Ladsgroup User:Aristeas User:Cabayi User:X-Savitar User:Victor Schmidt User:Yilku1 User:Winged Blades of Godric User:Zoranzoki21 User:Martin Urbanec User:1997kB User:علاء User:水瀬悠志 User:Ammarpad User:Acamicamacaraca User:Kpgjhpjm User:Jimmyshjj User:4nn1l2 User:Andrew J.Kurbiko User:Hiàn User:Liuxinyu970226 User:Ellery User:チルノ User:Dolotta User:Braveheidi User:Super Wang User:Vermont User:George Ho User:XXBlackburnXx User:Jkmartindale User:MER-C Whatamidoing (WMF) (talk) 18:13, 6 August 2019 (UTC) [reply]

• Hello! Your analysis seems correct to me. Requesting username and email adress seems like a good idea: it should be able to mitigate most of the abuses of password reset feature (except for users who publish their email adresses on their user pages—but this is up to them). Kind regards, Jules78120 (talk) 18:29, 6 August 2019 (UTC)[reply]
• I might be able to add some insights to the analysis. The 24-hour restriction, if exists, only applies to a single wiki to my knowledge. In other words, if a user has local accounts at several wikis and SUL-ed into a global account, password resets can be made at a different wiki if the person who resets triggered the 24-hour limit at one wiki. As a result this restriction can be easily circumvented, especially if the targeted user has hundreds of local accounts under the SUL-ed account. In any way, I would welcome the option to require both username and correct email address entered to be able to reset password. This can be unchecked by default in case some people don't feel like remembering which email address they use to connect to their accounts, and only people who think need it will opt-in. -★- PlyrStar93 _{→Message me. ←} 18:39, 6 August 2019 (UTC)[reply]

@PlyrStar93: Thank you for the clarification regarding the 24 hour restriction. You are correct that users can circumvent this restriction by simply generating password reset requests on different wikis. I have updated the project page with this information. Much appreciated. IFried (WMF) (talk) 20:39, 7 August 2019 (UTC)[reply]

• I'd agree with PlyrStar93—I think it would make sense to have some kind of opt-out from "enter your email" recovery. Some people have dozens of email accounts, and the combination of forgetting which one was used to register and a 24-hour limit between attempts could become very frustrating. Provided people are willing to check an "I understand that I may be bombarded with reset messages and I know not to panic" box, I see no issue with allowing people to opt in to the old system. Iridescent (talk) 19:04, 6 August 2019 (UTC)[reply]
• The 24 hour limit can make it very time-consuming to try to recover a working password, not sure if it is a good idea. You want a time limit that block brute force attack, yet allow for some trial and error. Usually a time limit is used together with a few attempts to offset this problem. Knowing an email address is no real hurdle, and it can actually be beneficial for an attacker to be able to prod the system. Your email address is a control question, and an extremely weak one. Due to a lot of dumps of emails being available for download an attacker knows a set of possible email addresses. Also most users has a username that reflects in their email address. With this system it is possible to test which one is correct. An attacker test which address is correct, and then attack the email provider. That is bad, you should not expose the email address or any way make it possible to infer what it is. You need some kind of information only the correct user will know, but an attacker will never know, and can't find out easily on the net. Typically this is a control question like “what was the name of your first dog”. (This is quite similar to a question “what is the 3rd scratch code”, but a fairly weak one. Also, an alternate control question should be 2fa code from an app or a scratch code.) You should not use this question to accept a password reset, only to progress with the reset. And you should not inform on the page whether the answer is correct or not, just post an “thank you – we may have forwarded a challenge to the stored email address”. The email with a password reset link can then be sent to the user. Remember to use a short timeout for the link, a 7 day timeout is way to long, and make it depend on the control question. Some system place the control question on the final page. That makes it possible to harass users, but is more secure. It is also possible to use two control questions, one for each page. Remember to hash the answers to the control questions. This is in case someone err and the answers are leaked. Two rather weak control questions can give a fairly strong system, but then the final outcome must use both answers. Just landing on the second page and guessing the control question should not be enough, but you can carry over a token that provide sufficient information about the first challenge. Do not rotate control questions between the first and second page, that would allow the attacker to solve each question separately. I've seen systems that uses two control questions on the second page for increased security, but I'm not sure it is necessary for WMF. — Jeblad 20:12, 6 August 2019 (UTC)[reply]
• Hi. I completely agree with your analysis, and think that users must input a valid combination of username and email address to reset password. And isn't 24 hrs too long? 12 hrs is fine to me. Or users must answer question(s) they set before. --Super Wang hates PC _{You hate, too?} 00:10, 7 August 2019 (UTC)[reply]
• Completely agree with your analysis.--Vulphere 05:28, 7 August 2019 (UTC)[reply]
• I agree that the current system of providing either a username or email is far too easy to abuse. This is especially true when targeting high-profile users, who may be getting bombarded constantly with these reset emails. Adding the option to require both pieces of info would make it significantly more difficult for an account to be targeted by such an attack. However, this feature should be strictly opt-in, as such attacks are not that common and don't affect the average user that much. Meanwhile the aforementioned high-profile users for whom this is a problem can simply opt-in by checking a box in their preferences. There are also accessibility reasons for why you'd want to allow the old behavior by default (e.g. users only remember one or the other, helping someone else initiate a reset re: ACC, etc.) which are scenarios that should not be discounted or ignored. Besides, trying to make this opt-out wouldn't even work that well, since we don't make setting an email mandatory in the first place, and arbitrarily auto-enabling this feature when a user does add an email to their account would be non-obvious and violates the Principle of least astonishment when they do need to finally do a password reset. — AfroThundr ^{(u · t · c)} 05:51, 7 August 2019 (UTC)[reply]
• I agree that requesting username and email address looks like a good idea. --Aristeas (talk) 08:11, 7 August 2019 (UTC)[reply]
• This is very cool. Zoranzoki21 (talk) 22:28, 7 August 2019 (UTC)[reply]
• I agree that requesting, and that's right purposes. i think 2FA users, maybe have keys - so asked they token for password reset. also if not 2FA, Accordingly system is needed --책읽는달팽 (User talk) 08:42, 8 August 2019 (UTC)[reply]
• Everything's ok, I'd just add that (at least from my experience) the other main reason why somebody would want to reset somebody else's password is that the user is an admin. In other words, it's a very basic (and ineffective) attempt at spoofing their password. --Sannita - not just another it.wiki sysop 10:33, 8 August 2019 (UTC)[reply]

Pinging everyone who commented:@Jules78120, PlyrStar93, Iridescent, Jeblad, Super Wang, Vulphere, AfroThundr3007730, Aristeas, Zoranzoki21, 책읽는달팽, and Sannita:

Everyone, thank you so much for your feedback so far! We’re excited to begin this project, and your feedback has helped us think through some preliminary considerations (technical, security, and user-focused). With that in mind, we have two follow-up questions for the community:

• In what circumstances would you want to opt-out of this preference?
• Do you have multiple usernames associated with one email address?

Also, regarding the 24 hour wait period: This restriction only applies to users who can’t reset the password (since they don’t have access to the associated email address). If users reset their passwords, they can reset their password again, with no 24 hour wait period. For this reason, we don’t believe that this restriction hinders good faith users from resetting their passwords. However, it does prevent harassment. The 24 hour restriction is not within the scope of the request, as it’s different in focus and nature, as well. We'll update the project page with this information.

In summary, we would love to hear feedback (regarding the questions we have posed, along with any other topics or concerns). Thanks! IFried (WMF) (talk) 17:29, 20 August 2019 (UTC)[reply]

I would think almost anyone with admin status on any project will have more than one account associated with their email address; it would be virtually impossible to operate otherwise, since it's both impractical and undesirable to log on from a phone or a public terminal from an admin account unless that admin account's security is so lax it would likely constitute grounds for desysopping. If there's even a suggestion that it won't be possible in future for a user to have multiple accounts, I can virtually guarantee that at minimum en-wiki, de-wiki and Commons will refuse to accept any change.Iridescent (talk) 19:59, 20 August 2019 (UTC)[reply]

I agree with Iridescent on the multiple accounts per email part. I'm not an admin and only have minor permissions on enwiki, but I also have an alt for testing and a bot account linked to this email address. It's handy to not have to setup multiple email accounts (or aliases) for this purpose. And I believe my comment in the section above covered the first question as to why the extra security should be strictly opt-in instead. — AfroThundr ^{(u · t · c)} 04:11, 21 August 2019 (UTC)[reply]

Hi, I wouldn't opt out of this but I can think of some people who use multiple emails and have been struggling with remembering which one they use for which account (Wikimedia or elsewhere) might opt out. I don't operate multiple usernames at Wikimedia now and didn't know if it's possible to associate one email with more than one Wikimedia account, but makes sense to me if it is. -★- PlyrStar93 _{→Message me. ←} 13:34, 21 August 2019 (UTC)[reply]

As per all the others who answered here. Also, is this system going to affect users who activated 2FA on their usernames? Sannita - not just another it.wiki sysop 16:38, 23 August 2019 (UTC)[reply]

Per above. I have a bot account which uses the same email adress, for example. I do not see any reason to opt-out for "experimented/regular users" (who are the most subject to reset password requests harassment): the risk of forgetting both email adress and password is very very low. Kind regards, Jules78120 (talk) 16:07, 24 August 2019 (UTC)[reply]

Everyone, thank you for the feedback so far! The details, as related to multiple accounts per email address and opt-in vs. opt-out, were really helpful. We're now conducting an investigation to look into many of the topics discussed here (i.e. how changes will impact general users and 2FA-enabled accounts, security concerns, opt-in vs. opt-out, and other considerations). Once we have finished this investigation, we'll share some of our findings and proposed next steps with the community. IFried (WMF) (talk) 00:24, 24 August 2019 (UTC)[reply]

Pinging everyone who commented:@Jules78120, PlyrStar93, Iridescent, Jeblad, Super Wang, Vulphere, AfroThundr3007730, Aristeas, Zoranzoki21, 책읽는달팽, and Sannita:

We have released the feature, which is called Enhanced Password Reset (EPR), on Wikivoyage and Wiktionary, and we would love your feedback! Please note that we will be releasing EPR to all other wikis soon. Our plan is to do an incremental rollout, rather than releasing all at once.

To enable the feature, go to the “Email options” section in “Preferences.” You can click on the checkbox that states, “Send password reset emails only when both email address and username are provided.” Once you click the checkbox and save, the preference is enabled. Once you enable this preference, users will not be informed that both the username and email addresses are required on Special:PasswordReset (for security reasons). For this reason, you must remember to enter both your username and email address on Special:PasswordReset. Please note that Password Reset Update is not a global preference by default. It is enabled per wiki. However, you can make it global in your global preferences. For more information on password resets, you can visit the Help:Reset_password page on MediaWiki. Thank you! --IFried (WMF) (talk) 19:47, 27 February 2020 (UTC)[reply]

Seven days for an open password reset is way too long. Set it to 30 minutes. (This is like telling someone to lock themselves in. You don't want to expose a working key for too long.) — Jeblad 21:36, 27 February 2020 (UTC)[reply]

Yes, Jeblad is right. 7 days is too long, you should set it to 30 minutes, or on 24 hours, but first option is much better. Zoranzoki21 (talk) 06:15, 28 February 2020 (UTC)[reply]

I'm all for reducing the abuse potential, however, lowering the limit to 30 minutes would significantly increase the number of missed password reset emails we receive at WP:ACC. When we create accounts, we send a random password via password reset, and the user will often not see the email for a day or more. Lowering it from seven days to something like 3 days would be reasonable, I think, but a lifetime of hours or less will cause problems. We must also take into account certain email providers that might delay delivery to the inbox for an hour or more (for various reasons) that this would affect. Perhaps we could make the lifetime configurable, or set it shorter for established accounts, but leave it at 7 days for new/unconfirmed accounts (which are not likely to be a target anyway). — AfroThundr ^{(u · t · c)} 15:43, 28 February 2020 (UTC)[reply]

@Jeblad, Zoranzoki21, and AfroThundr3007730: Thanks for the feedback! As part of this project, we did not update or change how password resets are processed. We focused on the original wish (i.e., a new preference to require both username and email address in order to generate password reset emails). This means that the 7 day requirement is previous behavior that we did not change or alter, and it was out of the scope of this project. If you do, however, feel like the 7 day behavior should be changed, you can reach out to the Core Platform team, which maintains password resets. Meanwhile, if you have any feedback on the new Enhanced Password Reset (found in Preferences, in the 'Email Options' section), we would love to hear it. It is currently testable on Wikivoyage and Wiktionary, and it will be available on all wikis soon. If you enable it, both your username and email address are required to generate password reset emails via Special:PasswordReset. It can be set as a local or global preference. Thank you! --IFried (WMF) (talk) 16:01, 28 February 2020 (UTC)[reply]

All my original objections on password reset as a valid solution is still in place. It is too easy to use the process as an attack vector. — Jeblad

what is the Enhacned Password Reset Now..? Lenutaa mirceaa (talk) 20:24, 23 August 2020 (UTC)[reply]

@Lenutaa mirceaa: Hello! Enhanced Password Reset is the name of the feature that was developed in this project. You can learn more about it in the password reset documentation on Mediawiki. Thanks! --IFried (WMF) (talk) 15:06, 26 August 2020 (UTC)[reply]

Pinging everyone who commented:@Jules78120, PlyrStar93, Iridescent, Jeblad, Super Wang, Vulphere, AfroThundr3007730, Aristeas, Zoranzoki21, 책읽는달팽, and Sannita:

Hello, everyone! The Enhanced Password Reset feature has now been deployed to all wikis, and documentation on the feature can be found on Help:Reset_password. For this reason, we are marking this project as complete. We have shared our final status update on the project page, which we invite you to check out. We hope that this feature helps improve the password reset experience for all wiki users, and thank you to everyone who participated in the project! --IFried (WMF) (talk) 17:50, 11 May 2020 (UTC)[reply]

Forgot password 41.114.225.99 09:59, 6 December 2022 (UTC)[reply]

The following is about the https://m.mediawiki.org/wiki/Help:Reset_password page. I can not make any changes or comments there (because editing is locked) and no "Talk" option is visible.

1 After "Note: When you edit this page", should mention that editing is locked and how else to submit changes.

2 Step 2 under "How do I reset my password?" should be "Enter your username or email address or both".

3 In the following unnecessarily-numbered box, "If you have enabled Enhanced Password Reset (see information in section 8)" should be changed because the article's sections are not numbered. The target is headed "I’m getting password reset emails that I didn’t request. How do I prevent this from happening?".

Peter Jones 202.168.33.73 21:50, 15 December 2022 (UTC)[reply]

Hello, thank you for the feedback, we will check and update and get back to you shortly. –– STei (WMF) (talk) 12:20, 8 January 2024 (UTC)[reply]