This page documents a project the Wikimedia Foundation's Community Tech team has worked on or declined in the past. Technical work on this project is complete.
The LoginNotify project aims to improve security on Wikimedia sites by notifying the user when there are multiple unsuccessful attempts to login with that username.
The warning messages are delivered via the user's Echo notifications, email, or both, with a link to a Help page on Mediawiki.org that explains the message, and offers suggestions for what to do next.
There are three types of notifications that can be flagged for the user's attention: Failed login attempts from a known device, failed login attempts from an unknown device, and successful login from an unknown device.
Each notification type can be delivered by web (Echo notifications) or by email. For the failed login attempts, the web notification is on by default. The successful logins, the email notification is on by default. These settings are configurable in the notification preferences.
Failed login attemptsEdit
Failed login attempts from a known deviceEdit
For known devices/IPs, we allow up to 5 login attempts before alerting the user about the login attempt, since it's fairly common to mistype or forget a password. If there are 5 or more failed attempts, the notification will say: "There have been 5 failed attempts to log in to your account since the last time you logged in. If this wasn't you, please make sure your account has a strong password." There would be another notification at 10 attempts, 15 attempts and so on.
Failed login attempts from an unknown deviceEdit
For unknown devices/IPs, we alert on every failed attempt. The extension bundles these notifications to avoid spamming users with too many notifications. For example, if there are 3 failed attempts from an unknown device, there will be a single notification, which says: "There have been 3 failed attempts to log in to your account from a new device since the last time you logged in. If this wasn't you, please make sure your account has a strong password." On further attempts, that notification would update to say "4 failed attempts," "5 failed attempts", and so on.
By default, web notifications are turned on for failed login attempts, and email notifications are turned off.
This notification send you an email when a user logs in successfully to your account from an unfamiliar device and IP. This is especially helpful for admins or other functionaries who are concerned that their rights might be misused. This notification is off by default. Note that the web notifications are disabled for this feature. The email text says "Someone (probably you) recently logged in to your account from a new device. If this was you, then you can disregard this message. If it wasn't you, then it's recommended that you change your password, and check your account activity."
Links in the notificationEdit
At the end of each message is a link that says "Change password" in a smaller font; this link points to Special:ChangePassword.
If you click on the notification, it links to Help:Login notifications on Mediawiki.org, which explains the feature and has links for more information on creating a strong password.
Oct 19, 2017Edit
There have been several people saying that the notification isn't informative enough, on the talk page and on Phabricator (T174388). The suggestion that people have made is to show the IP and/or location of the successful login. We think that the IP by itself probably wouldn't be very informative to most users, but showing the location would help. In order to do that, we need an extension that fetches geolocation from the IP address, which is being discussed here: T174553. We're going to look into this further.
Aug 18, 2017Edit
LoginNotify is now live!
June 7, 2017Edit
April 24, 2017Edit
The extension has been modified to address all of the major issues thus far. We're looking into how emails will be handled and look forward to getting community feedback on this feature soon. The extension is live on the beta cluster. Pending final decision on the thresholds.
March 8, 2017Edit
We'll change the notification to include a link to a Mediawiki.org page, which will explain the message, and offer suggestions for what to do next. (Check to see if a page like that already exists.) This page should be translated.