Page MenuHomePhabricator
Create Task
Maniphest T160031

Improve failed login notifications in LoginNotify extension
Closed, ResolvedPublic3 Estimated Story Points
Actions

Assigned To
MusikAnimal
Authored By
kaldari
Mar 9 2017, 2:10 AM
Tags
Referenced Files
F6382682: facebook login example.png
Mar 9 2017, 11:26 PM
F6382686: twitter warning.jpg
Mar 9 2017, 11:26 PM
F6382690: google warning.jpg
Mar 9 2017, 11:26 PM
F6352298: Screen Shot 2017-03-08 at 5.56.25 PM.png
Mar 9 2017, 2:10 AM
F6352303: Screen Shot 2017-03-08 at 6.00.15 PM.png
Mar 9 2017, 2:10 AM
F6352301: Screen Shot 2017-03-08 at 5.59.22 PM.png
Mar 9 2017, 2:10 AM
Subscribers
Aklapper
DannyH
gerritbot
Gradzeichen
kaldari
MZMcBride
Niharika
View All 9 Subscribers

Description

Here are the current notifications:

Screen Shot 2017-03-08 at 5.56.25 PM.png (162×530 px, 23 KB)

Screen Shot 2017-03-08 at 5.59.22 PM.png (180×522 px, 28 KB)

Currently it provides a link under the notification text to your own user page.

Icon:

  • The lock icon should be replaced by the user avatar icon, to indicate that the notification is about a user. (You may need to copy this icon into the Echo extension.)

Web notifications:

  • Make the messages for the 2 failed login notifications the same (both in the web notifications and email notifications):
There have been (#) failed attempts to log in to your account since the last time you logged in. If this was you, then you can disregard this message. It it wasn't, you should consider changing your password.

Email notifications:

"There {{PLURAL:$2|has been a failed attempt|have been $2 failed attempts}} to log in to your account '$1' on {{SITENAME}}. If this was you, then you can disregard this message. If it wasn't, you should consider changing your password."

Details

SubjectRepoBranchLines +/-
Simplify messages in login notification, still having two separate messages so wikis can configure them as desired.mediawiki/extensions/LoginNotifymaster+30 -45
Customize query in gerrit

Related Objects
Search...

Event Timeline

kaldari created this task.Mar 9 2017, 2:10 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 9 2017, 2:10 AM
kaldari triaged this task as Medium priority.Mar 9 2017, 2:11 AM
kaldari added a project: MediaWiki-extensions-LoginNotify.
Ricordisamoa subscribed.Mar 9 2017, 8:11 AM

The lock icon looks like a shopping bag. This should be replaced by something approved by a WMF designer.

Whether to use a lock icon at all might be questionable, but for starters the OOjs UI 'lock' icon is much better.

kaldari moved this task from New & TBD Tickets to Older: Team Work on the Community-Tech board.Mar 9 2017, 6:15 PM
DannyH added a comment.Mar 9 2017, 7:35 PM

For the icon on the left, we could reuse the person sillhouette that's next to the username -- it would indicate that the notice is username-related.

I want to edit the second message:
Current: There have been three failed attempts to login to your account from a computer you have not edited from recently, since the last time you logged in.
New version: There have been three failed attempts to login into your account since the last time you logged in.

I might want to edit the third message too, I'm thinking about wording.

I think there should be a link to a Mediawiki.org help page, explaining what the message means and what you should do about it. How about putting a link at the end of the warning text that says (more info) in a smaller font?

What do the email notifications look like?

TBolliger subscribed.Mar 9 2017, 10:26 PM

Yes, I recommend a help page link as opposed to a MediaWiki.org link or user page.

As for the copy in the third message — Someone has successfully logged into your account from a device on which you have never edited. — Unless 'recently' is literal, in which case I would suggest Someone has successfully logged into your account from a device on which you have not recently edited.

We should probably use 'device' instead of 'computer' — right?

DannyH added a comment.Mar 9 2017, 10:48 PM

How about "Someone has successfully logged into your account from an unfamiliar device"?

DannyH added a comment.Mar 9 2017, 11:26 PM

Here's warnings from other sites:

Facebook:

facebook login example.png (602×1 px, 62 KB)

Twitter:

twitter warning.jpg (652×427 px, 87 KB)

Google:

google warning.jpg (670×545 px, 99 KB)

DannyH added a comment.Mar 9 2017, 11:26 PM

Should we talk to Security/IT about what advice to give people?

DannyH added a comment.Mar 10 2017, 1:29 AM

Maybe we don't need the more info link/Help page.

I think the only thing we want to say is: -- If this was you, then don't worry about it. If it wasn't you, then we'd suggest changing your password. --

So we could just put that in the notification. What do you think?

Niharika subscribed.Mar 10 2017, 1:31 AM

@DannyH, Hmm, if someone logged in to your account from some other IP/computer then changing the password won't help much, I suppose.

@kaldari Do you know if we have something to logout of all active sessions or something similar like other websites?

DannyH added a comment.Mar 10 2017, 1:32 AM

@Niharika If you change your password, then they won't be able to use it to log in next time.

Niharika added a comment.Mar 10 2017, 1:33 AM

@DannyH, but they are already in. So they can mess with pretty much everything.

DannyH added a comment.Mar 10 2017, 1:34 AM

@Niharika Would time travel help?

Niharika added a comment.Mar 10 2017, 1:43 AM

😆
@DannyH: What most websites do is to allow you to log yourself out of all active sessions. So the invader would immediately find himself logged out and unable to do anything. This should probably already exist in MediaWiki and if not, we should consider adding it to the extension because without it, it seems quite unhelpful.

kaldari added a comment.EditedMar 10 2017, 2:53 AM

Current: There have been three failed attempts to login to your account from a computer you have not edited from recently, since the last time you logged in.
New version: There have been three failed attempts to login into your account since the last time you logged in.

@DannyH: So you are suggesting that we only have a single failed login notification (that uses the same text regardless of whether it was from a familiar device or an unfamiliar device)? I think that's a good idea as it makes it less confusing.

DannyH added a comment.Mar 14 2017, 8:53 PM

Yeah, I think one message for failed login would make life easier. On our end, we can choose different thresholds for known IPs and new IPs, but the user doesn't need to know those details.

DannyH updated the task description. (Show Details)Mar 14 2017, 8:55 PM
DannyH moved this task from Older: Team Work to Needs Discussion on the Community-Tech board.
kaldari renamed this task from Improve notifications in LoginNotify extension to Improve failed login notifications in LoginNotify extension.Mar 14 2017, 11:23 PM
kaldari updated the task description. (Show Details)
kaldari set the point value for this task to 3.Mar 14 2017, 11:26 PM
kaldari edited projects, added Community-Tech-Sprint; removed Community-Tech.
DannyH updated the task description. (Show Details)Mar 14 2017, 11:27 PM
DannyH updated the task description. (Show Details)
kaldari raised the priority of this task from Medium to High.Mar 14 2017, 11:28 PM
DannyH removed DannyH as the assignee of this task.Mar 14 2017, 11:30 PM
DannyH subscribed.
kaldari updated the task description. (Show Details)Mar 15 2017, 12:09 AM
kaldari updated the task description. (Show Details)Mar 15 2017, 12:20 AM
kaldari updated the task description. (Show Details)
kaldari updated the task description. (Show Details)Mar 15 2017, 12:22 AM
kaldari updated the task description. (Show Details)Mar 16 2017, 5:59 PM
MusikAnimal claimed this task.Mar 17 2017, 6:12 PM
MusikAnimal moved this task from Ready to In Development on the Community-Tech-Sprint board.
MusikAnimal moved this task from In Development to Needs Review/Feedback on the Community-Tech-Sprint board.Mar 17 2017, 8:34 PM

Not sure why the bot didn't comment: https://gerrit.wikimedia.org/r/#/c/343332/

DannyH added a parent task: T11838: Send notification to account owner on multiple unsuccessful login attempts.Mar 17 2017, 9:03 PM
MusikAnimal mentioned this in rELGN1a2c6c978cee: Simplify messages in login notification, still having two separate messages so….Mar 17 2017, 9:06 PM
MusikAnimal mentioned this in rELGN082d23bebe9e: Simplify messages in login notification, still having two separate messages so….
MusikAnimal mentioned this in rELGN91d2c475c56f: Simplify messages in login notification, still having two separate messages so….
DannyH updated the task description. (Show Details)Mar 17 2017, 9:06 PM
MZMcBride updated the task description. (Show Details)Mar 17 2017, 9:10 PM
MZMcBride subscribed.
kaldari updated the task description. (Show Details)Mar 17 2017, 10:40 PM
MusikAnimal mentioned this in rELGN774862d8008b: Simplify messages in login notification, still having two separate messages so….Mar 20 2017, 6:01 PM
kaldari mentioned this in rELGNcb107a3ee3dd: Simplify messages in login notification, still having two separate messages so….Mar 23 2017, 1:35 AM
kaldari added a comment.Mar 23 2017, 1:51 AM

@DannyH: I was thinking some more about the notifications for failed log-ins (while testing MusikAnimal's patch), and I was wondering if maybe we should give the user more specific advice, like:

There have been X failed attempts to log in to your account since the last time you logged in. If this was you, then you can disregard this message. If it wasn't, please make sure your account has a strong password.

Currently, we tell them to consider changing their password, which could actually make it worse (and wouldn't make sense for people who already have good unique passwords).

Samwilson mentioned this in rELGN1c24c5edb39e: Simplify messages in login notification, still having two separate messages so….Mar 23 2017, 2:52 AM
Gradzeichen subscribed.EditedMar 23 2017, 9:49 AM

I was wondering if maybe we should give the user more specific advice, like: ... If it wasn't, please make sure your account has a strong password.

To actually change the password an user has to go to the page Special:ChangeCredentials/MediaWiki\Auth\PasswordAuthenticationRequest

This page contains a text field (changecredentials-summary) -- but it contains no text. This field could easily be filled with a text like: "Please enter a strong and unique password" No programming is required and everyone who sets or changes a password would profit.

see: T122124 Tell users to use a unique password when creating an account.

DannyH added a comment.Mar 23 2017, 4:43 PM

@kaldari Yes, that's a really good thought. Let's do that.

kaldari mentioned this in rELGN4d4e09ccb8d0: Simplify messages in login notification, still having two separate messages so….Mar 23 2017, 4:48 PM
gerritbot subscribed.Mar 23 2017, 4:54 PM

Change 343332 merged by jenkins-bot:
[mediawiki/extensions/LoginNotify@master] Simplify messages in login notification, still having two separate messages so wikis can configure them as desired.

https://gerrit.wikimedia.org/r/343332

kaldari closed this task as Resolved.Mar 23 2017, 6:04 PM
kaldari moved this task from Needs Review/Feedback to Q1 2018-19 on the Community-Tech-Sprint board.
DannyH edited projects, added Community-Tech; removed Community-Tech-Sprint.Mar 29 2017, 9:49 AM
kaldari moved this task from Needs Discussion to Archive on the Community-Tech board.Mar 31 2017, 2:00 PM
Catrope mentioned this in T162104: Fix multiple/repetitive notifications with LoginNotify.Apr 20 2017, 11:57 PM
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-LoginNotify board.Aug 28 2017, 8:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL