Open main menu

Community Wishlist Survey 2019/Anti-harassment/Add an option to require email address and username to reset password

 ◄ Back to Anti-harassment  The survey has concluded. Here are the results!


  • Problem: Trolls and LTAs have been knocking Special:PasswordReset with the intention of trolling and (currently) this cannot be prevented. Then I get password reset I did not request. While I know I have secure password (and 2FA) on both my SUL accounts and my email, it's annoying so it'd better if I can just prevent them. It sometimes gives the impression to ordinary users that their account is being compromised, which is not a good UX.
  • Who would benefit: Those who gets spammed with false password reset
  • Proposed solution: Have a OPT-IN checkbox on Preferences, turned off by default. The checkbox will require you to enter your registered email address AND your username to get a password reset. When you set this up, you know your email address, but trolls don't.
  • More comments:
  • Phabricator tickets: phab:T145952
  • Proposer: — regards, Revi 10:38, 4 November 2018 (UTC)

DiscussionEdit

  • When I can use different mailadresses and I have forgotten which one is necessary for passwort reset? There should be a separate option to send a confirmation mail to the adress used.--Brainswiffer (talk) 07:24, 17 November 2018 (UTC)
    • That is not part of this vote. — regards, Revi 07:29, 17 November 2018 (UTC)
    • Currently, you just need to know one of the following: "Email address used for the account" OR "user name", so technically you do not need to know email address to send password reset. But this is being actively abused and one steward I know gets 20 passwords per week (or day, I don't recall). With my proposal, people who voluntarily choose to enforce strict requirement will need to know both "email address used for the account" AND "user name". It's a big difference. Since the change is supposed to be opt-in (you have to click a check box on Preferences, and save it - it is not enabled by default when you register or suddenly forced when you sign in) most ordinary users do not need to take any actions. — regards, Revi 08:08, 17 November 2018 (UTC)
  • Without going into all reasons why this does not work, this doesn't really work even if it is quite common. A real solution is based upon something an attacker can't know, not something that is just a little bit hard to know. So instead of using a mailaddress as the additional information you use one-time scratch codes, and store them as hash codes on the server. That means only the user knows the real scratch codes, but also that the user requesting the scratch codes must keep them safely. — Jeblad 08:05, 18 November 2018 (UTC)
Given our position on 2FA expansion and number of people losing 2FA & scratch code, that is not a solution as well. — regards, Revi 08:31, 18 November 2018 (UTC)
Sorry, but scratch codes are the only solution that works and can be proven to be secure. Email and SMS is not secure, and using those for reacquiring credentials can be circumvented. The ting you use to identify yourself can not be anything an attacker can know or easily regenerate. That include all kinds of smart questioning, means of communication, etc.
Note that the present implementation of 2FA at WMFs servers are defacto a single factor login. I leave it to the reader to figure out why.
Anyhow, there are a lot of information available about this, so it should be unnecessary to argue about it. — Jeblad 09:38, 18 November 2018 (UTC)
  • @Jeblad: you seem to be confusing security measures and anti-harrassment measures (and probably many other things too, judging from your single factor remark, but that's off topic here). Security-wise, we are worried about an attacker looking for vulnerable accounts (and not one specific account, as there isn't really any reason for an attacker to limit themselves to one), and it is always easy to find accounts with public email addresses. It does not matter though as the security of password reset does not rely on the email address being secret, or the attacker not being able to request password reset; it relies on the attacker not having access to the target's emails. Harrassment-wise, on the other hand, we are worried about the attacker targeting one specific user, whose email address is not known (if it is known the attacker has more direct ways of harassing them so they need to fix that first), so the idea proposed here works just fine. --Tgr (talk) 22:12, 25 November 2018 (UTC)
I'm probably quite stupid, but please discuss the facts, not the persons. This proposal is about a concrete implementation, and that implementation does not work. It fails on the assumption that "it relies on the attacker not having access to the target's emails." A determined attacker will only request a password reset by a specific communication system if he has access to that system. Whether that would be email, SMS, or whatever does not matter. — Jeblad 10:02, 26 November 2018 (UTC)
I don't think Tgr was saying you're stupid. Just confused. After I read your comments I get het impression that you are conflating security (the protection of authentication and access) with anti-harassment (making it difficult for jerks to bother an individual). Both are important. This proposal is in the latter category. It's about stopping people from spamming someone with password reset email notifications over-and-over, not about making the securing of an account stronger. I agree as a security proposal this would not have much impact, but as an anti-harassment proposal it's helpful for a lot of users. I get these false-positive emails with my staff account. Makes my heart jump into my throat a little each time. :) I'd gladly opt-in to this feature to make it a little more difficult for folks to mess with me. CKoerner (WMF) (talk) 16:18, 26 November 2018 (UTC)
Thank you for pointing out that I'm not stupid, just confused. I'll tell the professor next time that his ideas about tokens that are physical inaccessible for an attacker is a pretty dumb and confused idea. — Jeblad 20:42, 27 November 2018 (UTC)
I'm sorry my attempt at clarification frustrated you. I was just trying to help. CKoerner (WMF) (talk) 16:40, 29 November 2018 (UTC)
  • With a caveat: this is not foolproof. Many Wikimedia email addresses are easily guessed, or if you are a list-admin to a Wikimedia mailing list the information is out there. --Rschen7754 07:52, 26 November 2018 (UTC)
    • I assume there's no requirement that your list-admin email is the same as your wikimedia account email right? If so, with gmail and any similar systems you could easily use the plus trick to generate an email address that the attacker won't be able to guess unless you've contacted them over wikipedia email before while keeping everything together. e.g. use rschen7754+wikipedia7754@gmail.com for your wikimedia email. You can just replace your email address in wikimedia if it ever becomes public somehow. Of course you will either have to remember it or make sure you keep a record of the address e.g. by making sure you don't delete emails to that address in the account it belongs to. Nil Einne (talk) 12:40, 1 December 2018 (UTC)

VotingEdit

  •   Support MER-C (talk) 18:59, 16 November 2018 (UTC)
  •   Support James Martindale (talk) 19:22, 16 November 2018 (UTC)
  •   Support XXBlackburnXx (talk) 20:15, 16 November 2018 (UTC)
  •   Support George Ho (talk) 20:30, 16 November 2018 (UTC)
  •   Support This should definitely be added and would be extremely useful to those of us who receive a good amount of password reset emails. Vermont (talk) 21:33, 16 November 2018 (UTC)
  •   Support See above. Super Wang on zhwiki (Share your opinions) 23:55, 16 November 2018 (UTC)
  •   Support Braveheidi (talk) 01:05, 17 November 2018 (UTC)
  •   Support Dolotta (talk) 01:07, 17 November 2018 (UTC)
  •   Support New visitor (talk) 02:02, 17 November 2018 (UTC)
  •   Support Ellery (talk) 02:38, 17 November 2018 (UTC)
  •   Support Liuxinyu970226 (talk) 03:38, 17 November 2018 (UTC)
  •   Support Hiàn (talk) 04:44, 17 November 2018 (UTC)
  •   Support Andrew J.Kurbiko (talk) 05:15, 17 November 2018 (UTC)
  •   Support 4nn1l2 (talk) 05:27, 17 November 2018 (UTC)
  •   Support Jimmyshjj (talk) 06:06, 17 November 2018 (UTC)
  •   Support Kpgjhpjm (talk) 07:37, 17 November 2018 (UTC)
  •   Support Acamicamacaraca (talk) 08:09, 17 November 2018 (UTC)
  •   SupportAmmarpad (talk) 08:41, 17 November 2018 (UTC)
  •   Support Because there is a possibility that it can be misused with only one element. 水瀬悠志 (talk) 09:32, 17 November 2018 (UTC)
  •   Support --Alaa :)..! 10:39, 17 November 2018 (UTC)
  •   Support ‐‐1997kB (talk) 11:07, 17 November 2018 (UTC)
  •   Support Martin Urbanec (talk) 13:45, 17 November 2018 (UTC)
  •   Support Zoranzoki21 (talk) 13:51, 17 November 2018 (UTC)
  •   Support Winged Blades of Godric (talk) 16:01, 17 November 2018 (UTC)
  •   Support Yilku1 (talk) 16:38, 17 November 2018 (UTC)
  •   Support As Im patrolling recent changes on dewiki, I frequently get such mails from IPs who want to say ironically thanks for reverting their vandalism Victor Schmidt (talk) 16:58, 17 November 2018 (UTC)
  •   Support Alangi Derick (talk) 17:11, 17 November 2018 (UTC)
  •   Support Cabayi (talk) 17:22, 17 November 2018 (UTC)
  •   Support Aristeas (talk) 17:31, 17 November 2018 (UTC)
  •   Support Amir (talk) 18:49, 17 November 2018 (UTC)
  •   Strongest possible support Definitely a good idea — pythoncoder (talk | contribs) 19:21, 17 November 2018 (UTC)
  •   Support Helland (talk) 19:51, 17 November 2018 (UTC)
  •   SupportThanks for the fish! talkcontribs 19:55, 17 November 2018 (UTC)
  •   Support JAn Dudík (talk) 20:00, 17 November 2018 (UTC)
  •   Support Yamaha5 (talk) 20:34, 17 November 2018 (UTC)
  •   Support MehdiTalk 20:37, 17 November 2018 (UTC)
  •   Support Seems to be a great solution to a seemingly long-standing problem on Wikipedia. SshibumXZ (talk) 21:04, 17 November 2018 (UTC)
  •   Support obviously yes Cohaf (talk) 21:09, 17 November 2018 (UTC)
  •   Strongest possible support Seems like a great idea. Redactyll (talk) 17:31, 17 November 2018 (UTC)
  •   Support Bellezzasolo (talk) 21:50, 17 November 2018 (UTC)
  •   Support --Hadibe (talk) 22:10, 17 November 2018 (UTC)
  •   Support Wunkt2 (talk) 02:47, 18 November 2018 (UTC)
  •   Support TonyBallioni (talk) 03:53, 18 November 2018 (UTC)
  •   Support The fact that it is opt-in makes it very easy to support this. Mz7 (talk) 03:53, 18 November 2018 (UTC)
  •   Support Temp3600 (talk) 05:49, 18 November 2018 (UTC)
  •   Support 책읽는달팽 (User talk) 07:47, 18 November 2018 (UTC)
  •   Strong oppose Wrong solution. [And I'm dumb and confused that say so.] — Jeblad 08:05, 18 November 2018 (UTC)
  •   Support Jules78120 (talk) 09:50, 18 November 2018 (UTC)
  •   Support فرهنگ2016 (talk) 10:41, 18 November 2018 (UTC)
  •   Support Hydriz (talk) 14:25, 18 November 2018 (UTC)
  •   Support Massimo Telò (talk) 14:46, 18 November 2018 (UTC)
  •   Support — Draceane talkcontrib. 17:41, 18 November 2018 (UTC)
  •   Support Bruce1ee (talk) 18:06, 18 November 2018 (UTC)
  •   Support Fatemi 18:53, 18 November 2018 (UTC)
  •   Support Continua Evoluzione (talk) 19:50, 18 November 2018 (UTC)
  •   Support Poya-P (talk) 20:54, 18 November 2018 (UTC)
  •   Support Stryn (talk) 21:35, 18 November 2018 (UTC)
  •   Support Shizhao (talk) 02:36, 19 November 2018 (UTC)
  •   Support Courcelles 15:03, 19 November 2018 (UTC)
  •   Support Rschen7754 19:27, 19 November 2018 (UTC)
  •   Support Kb03 (talk) 00:48, 20 November 2018 (UTC)
  •   Support Reasonable proposal to enhance account security, opt-in is also a good solution in case some other people don't like it for whatever reason. -★- PlyrStar93 Message me. 01:02, 20 November 2018 (UTC)
  •   SupportAjraddatz (talk) 04:00, 20 November 2018 (UTC)
  •   Support providing it's explicitly opt-in, and that there's still a mechanism to over-ride the "email is required" in extreme circumstances since there are circumstances where people will genuinely lose access to email accounts (the mail provider going bust, a rarely-used account being closed for inactivity, a work email for a job from which you've been fired). Making this the default would be a very bad idea.Iridescent (talk) 10:11, 20 November 2018 (UTC)
  •   Support Vulphere 14:37, 20 November 2018 (UTC)
  •   Support Tiputini (talk) 18:04, 20 November 2018 (UTC)
  •   Support Rachel Helps (BYU) (talk) 19:05, 20 November 2018 (UTC)
  •   Support Andrewredk (talk) 20:16, 20 November 2018 (UTC)
  •   Support CAPTAIN RAJU(T) 22:30, 20 November 2018 (UTC)
  •   Support Novak Watchmen (talk) 23:54, 20 November 2018 (UTC)
  •   Support Ohwowchow (talk) 02:13, 21 November 2018 (UTC)
  •   Support Omotecho (talk) 03:53, 21 November 2018 (UTC)
  •   Support Tisfoon (talk) 06:11, 21 November 2018 (UTC)
  •   Support Bencemac (talk) 08:15, 21 November 2018 (UTC)
  •   Support JopkeB (talk) 08:51, 21 November 2018 (UTC)
  •   Support Ayoub Fajraoui (talk) 09:31, 21 November 2018 (UTC)
  •   Support Fine... Stevenmitchell (talk) 15:57, 21 November 2018 (UTC)
  •   Support Arian Talk 18:36, 21 November 2018 (UTC)
  •   Support Framawiki (talk) 19:42, 21 November 2018 (UTC)
  •   Support Nihlus 22:14, 21 November 2018 (UTC)
  •   Support Jackmegill (talk) 23:15, 21 November 2018 (UTC)
  •   Support tOMG 05:37, 22 November 2018 (UTC)
  •   Support Lirazelf (talk) 12:53, 22 November 2018 (UTC)
  •   Support Tho I do not suffer from this problem, I see how this is a big issue to some editors. Solving this problem seems to have no downsides. ーTesser4D 【🅱alk】 17:33, 22 November 2018 (UTC)
  •   Support This should be easy to do FiliP ██ 20:12, 22 November 2018 (UTC)
  •   Support ~Cybularny Speak? 15:53, 23 November 2018 (UTC)
  •   Support James F. (talk) 22:42, 23 November 2018 (UTC)
  •   Support Sannita - not just another it.wiki sysop 00:27, 24 November 2018 (UTC)
  •   Support Matěj Suchánek (talk) 08:39, 24 November 2018 (UTC)
  •   Support Hmxhmx 09:56, 24 November 2018 (UTC)
  •   Support Gce (talk) 19:03, 24 November 2018 (UTC)
  •   Support Wuyouyuan (talk) 20:30, 24 November 2018 (UTC)
  •   Support ~ Seb35 [^_^] 22:22, 24 November 2018 (UTC)
  •   Support By erdo can • TLK 08:56, 25 November 2018 (UTC)
  •   Support Easy fix for a longstanding problem. — Insertcleverphrasehere (or here) 11:40, 25 November 2018 (UTC)
  •   Support It won't solve the problem forever, but it's a great idea to solve the problem. We have suffered from it a lot. Mariogoods (talk) 13:16, 25 November 2018 (UTC)
  •   Support Tgr (talk) 22:12, 25 November 2018 (UTC)
  •   Support — AfroThundr (u · t · c) 01:42, 26 November 2018 (UTC)
  •   Support It's been a while since I got this kind of email, but I've always found them disconcerting. Daniel Case (talk) 06:01, 26 November 2018 (UTC)
  •   Support --Maimaid (talk) 09:17, 26 November 2018 (UTC)
  •   Support TheMesquito (talk) 15:06, 26 November 2018 (UTC)
  •   Support CKoerner (WMF) (talk) 16:21, 26 November 2018 (UTC)
  •   Support *Youngjin (talk) 17:20, 26 November 2018 (UTC)
  •   Support Whispering (talk) 21:20, 26 November 2018 (UTC)
  •   Support - FlightTime (open channel) 21:56, 26 November 2018 (UTC)
  •   Support -- Amanda (aka DQ) 22:52, 26 November 2018 (UTC)
  •   Support ifny (talk) 01:45, 27 November 2018 (UTC)
  •   Support YFdyh000 (talk) 15:26, 27 November 2018 (UTC)
  •   Oppose --Ciao • Bestoernesto 00:42, 28 November 2018 (UTC)
  •   Support Hwangjy9 (talk) 07:54, 28 November 2018 (UTC)
  •   Support JaventheAlderick (talk) 10:24, 28 November 2018 (UTC)
  •   Support Calvinballing (talk) 14:43, 28 November 2018 (UTC)
  •   Support Pmlineditor (t · c · l) 17:14, 28 November 2018 (UTC)
  •   Support Kpjas (talk) 10:20, 29 November 2018 (UTC)
  •   Support Seems quite easy, so hopefully Community Tech will have time to go beyond the top ten whishes. ;) Tacsipacsi (talk) 20:56, 29 November 2018 (UTC)
  •   Support NicoScribe (talk) 11:25, 30 November 2018 (UTC)
  •   Support Alucard 16 (talk) 15:32, 30 November 2018 (UTC)
  •   Support RolandUnger (talk) 16:41, 30 November 2018 (UTC)