T174263 has asked for email notifications for LoginNotify to be turned on by default. We should ask a couple of other communities to test the waters.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Declined | Johan | T174568 Email by default when someone tries to log in to your account? | |||
| Open | None | T174838 Gather information on successful-login notifications that would be sent |
Event Timeline
Comment Actions
Posting something like this:
Hi everyone, we recently turned on [[LoginNotify]], a feature that’ll tell you when someone tries to log in to your account and fails. You’ll get a notification here per default (can be turned off in your preferences), and you can turn on email notifications.
We’re sort of being told by the community that we’re letting the editors down by not having email notifications when someone else tries to log in to your account on by default. The reasons for doing this would be something like this:
- It’s about their account. It concerns them personally. It’s not emailing them to get their attention to some feature or decision someone else has decided is important.
- If you don’t want these emails, you can turn them off. If you’re not logged in for a couple of weeks, however, you won’t even be aware of the potential problem. Most editors won’t know LoginNotify exists – they can make the decision to turn it off if they get emails and don’t want them, but they’ll never get the chance to consciously turn it on. A campaign to make sure everyone's aware of LoginNotify would be far more annoying than potentially getting an email about someone else trying to log in to your account.
- We know a lot of folks have pretty bad password security. They use weak passwords and – worse – they reuse passwords. That puts their accounts at risk and makes this important.
- If it’s not on by default on all wikis, that’s blocking the security for the wikis that turn it on by default. Then you just need to figure out which wikis don’t have this on by default (the accounts are global, after all), which will be public information, and try to log in there.
Link to other discussions: Hebrew Wikipedia, [[phab:T174263]].
Does this make sense to you?
Comment Actions
I'd pick a couple of wikis from English, Swedish, German, Danish, Norwegian (Bokmål, probably, rather than Nynorsk), mainly because it's easiest for me to follow and take part in discussions in those languages. (:
Comment Actions
Ah, this was focused on emailing you when someone fails to log in to your account, because that was the focus of my conversation with Danny when he brought this up, but I realise now that the conversation about global default is of course about both LoginNotify email notifications. Sorry.
Comment Actions
The problem is that if somebody did not see notification - it's his problem, but if there is no notifications for worth problem - he can't know somebody succeeded to login.
Comment Actions
What about standardizing / making a routine about asking for early testers at the Tech Ambassadors mailing list, to give a chance to other projects (other voices, other perspectives) to step in?
Comment Actions
I've been thinking about having a community group of testers who we can approach for getting our tools/extensions beta-tested and getting feedback before we put them out live. I put forth this idea on #wikipedia-en channel a few weeks ago and it was met with enthusiastic response with about four people reaching out to me, requesting to be on such a group. Is Tech Ambassadors basically the same idea? I didn't know what the purpose of that list was.
Comment Actions
@Niharika , this sounds to me close enough? Let's discuss at T170127: Define, together with the community, a description of the roles of "translator" and "tech ambassador" and related KPIs, for Technical Collaboration's new KPIs.
Comment Actions
Sure, but not for a task like this, given that this isn't about early testing of a feature – it's in production, and notifications are on by default, so everyone's already using it, so to speak – but simply asking what to do with a specific preference.
Comment Actions
So something like this?
Hi everyone, we recently turned on [[LoginNotify]], a feature that’ll tell you when someone tries to log in to your account and fails. You’ll get a notification here per default (can be turned off in your preferences), and you can turn on email notifications.
We’re sort of being told by the community that we’re letting the editors down by not having email notifications when someone else tries to log in to your account (or logs in from a new place, which could be someone not you taking over your account) on by default. If you accidentally mistype your password from a device or IP that has previously logged in to the account, you need to fail five times before you're notified, so you won't be notified all the time because you slipped on the keyboard.
The reasons for email notifications by default if someone tries to log in and fails:
- It’s about their account. It concerns them personally. It’s not emailing them to get their attention to some feature or decision someone else has decided is important.
- If you don’t want these emails, you can turn them off. If you’re not logged in for a couple of weeks, however, you won’t even be aware of the potential problem. Most editors won’t know LoginNotify exists – they can make the decision to turn it off if they get emails and don’t want them, but they’ll never get the chance to consciously turn it on. A campaign to make sure everyone's aware of LoginNotify would be far more annoying than potentially getting an email about someone else trying to log in to your account.
- We know a lot of folks have pretty bad password security. They use weak passwords and – worse – they reuse passwords. That puts their accounts at risk and makes this important.
- If it’s not on by default on all wikis, that’s blocking the security for the wikis that turn it on by default. Then you just need to figure out which wikis don’t have this on by default (the accounts are global, after all), which will be public information, and try to log in there.
For the second discussion, about someone successfully logging in to your account from a new place, the reasons are similar.
- This is the best defence you have if someone succeeds to log in. You'll immediately get an email.
- If you don’t want these emails, you can turn them off – but most editors won’t know LoginNotify exists – they can make the decision to turn it off if they get emails and don’t want them, but they’ll never get the chance to consciously turn it on. A campaign to make sure everyone's aware of LoginNotify would be far more annoying than potentially getting an email about someone else trying to log in to your account.
- We know a lot of folks have pretty bad password security. They use weak passwords and – worse – they reuse passwords. That puts their accounts at risk and makes this important.
- Yet again, if this isn't turned on by default on all wikis, it leaves a very big security hole because all you need to do is find a wiki where this is turned off by default and most editors will not be notified.
Link to other discussions: Hebrew Wikipedia, [[phab:T174263]].
Does this make sense to you?
Comment Actions
Well, I already that my oppinion. Email when login fails is something small and not important. The mail message when somebody evil succeeded to log in to your page js the important issue.
Comment Actions
I really don't like the line "We’re sort of being told by the community that we’re letting the editors down".
We created and released a new feature; some people are suggesting a change in that feature, so we're reaching out to hear more. That's great and healthy and how this is supposed to work.
"We're sort of being told by the community" means that everyone hates this feature, and we're feeling sheepish and ashamed about it.
The text makes it pretty clear that there's a long list of good and important reasons why we should make the change, and there's no good reason to not make it. If that's the way that we feel about it, we shouldn't bother to have this conversation. Let's just make the change.
Comment Actions
You are assuming that it will (almost) always detect you properly.
Sending an email when someone fails your user password is quite safe, since it stems from a bad action (someone tried to access your account not having the right credentials). Even if it's the actual account owner, he has done something wrong. On a normal usage, there will be zero notifications. And if the owner himself failed to log in, he would have received an error message at that point, and is likely to remember «oh, yes I mistyped my password a couple hours ago».
On the other hand, notification of a successful login by someone not recognised relies on heuristics. A user could be receiving 3-4 email notifications every day, at which point:
- they are mainly useless, since he won't notice an "evil login" amongst the many emails that the wiki sends him for the proper ones
- they don't have a way to determine if it was really them or not (as currently they only reveal that "there was a login", you need to match them based on timestamps)
- they get annoyed at Wikimedia for spamming them
I don't think we should enable it globally without first obtaining data about the number of notifications it would trigger. This could be quite higher than expected.
In order to activate it, I would start by doing something clearer like warning when there is a login from a different country than those you previously connected from. Maybe also down to the AS. Those are quite accurate, and are simple to justify. (note: this is currently not implemented)
.
Another interesting topic would be if it is more or less likely that an account compromise happened guessing the right password at the first attempt, but I guess it will vary greatly depending on the way it was obtained, and if there were still a few bits of entropy that needed guessing.
Comment Actions
Sorry, @Platonides, but we have some misunderstanding. I can't see why do you need heuristics to send a mail for successful login on unfamiliar device, and why do you think about 3-4 notifications every day - if you do not buy a new iPhone every hour, it should be once a year, maybe twice.
Comment Actions
@IKhitron if the browser is configured to delete the cookies on exit, it will be unfamiliar every time, so you are back to "Did he edit recently from a nearby IP address?".
Comment Actions
Well, now I undersfand you. And how these five users across the world do not get such letters from Gmail 3 times every day? Google has the same service, for all clients.
Comment Actions
Maybe they do. Perhaps Google is smarter and uses more datapoints/configured differently. They could even not be using Gmail.
Comment Actions
I can assure you the number of such users is much higher than 5. People use tor and what not to protect their privacy online.
Comment Actions
Whether to contact a larger or a smaller audience depends on the real needs of the current phase of the project, and I trust Johan's gut with this. I recommend for the future considering a "Community Wishlist" taskforce of people who want to be bugged about ideas etc.
Comment Actions
In order to check this, please point me to the repository where I can view the code Google is using.
Anyway, I did notice that -unsurprisingly- they use a different algorithm than us. Prompted by this thread, yesterday I noted that I had been using a logged in session for entering into Gmail (that's all that browser is used for), so I cleared their cookies. Today, it sent me an "Account security alert" on login, despite connecting from the same IP address and using the same browser version. I have to admit not paying much attention to those. Although, given that they appear on top just after you logged in, it is clear that it was generated by your current session. That's a bit different than viewing an email about a login at a different time on a third-party service.
Comment Actions
So, you can't be sure.
Anyway, I did notice that -unsurprisingly- they use a different algorithm than us. Prompted by this thread, yesterday I noted that I had been using a logged in session for entering into Gmail (that's all that browser is used for), so I cleared their cookies. Today, it sent me an "Account security alert" on login, despite connecting from the same IP address and using the same browser version. I have to admit not paying much attention to those. Although, given that they appear on top just after you logged in, it is clear that it was generated by your current session. That's a bit different than viewing an email about a login at a different time on a third-party service.
This means that Google sends even more letters than wiki, and nobody cries.
Comment Actions
So, you can't be sure.
Of course not. I'm pretty sure they are using a lot more information into their risk analysis of each login (and then, the action to take -the scores at which they are taken- probably depends on another analysis related to the account properties. For instance, I only seem to have received an login block requiring extra authentication when connecting from a new country). Maybe you should back your claim on T174568#3572025 stating why you consider that both algorithms are comparable.
This means that Google sends even more letters than wiki,
In my case it is sending a fair amount. But I'm not sure a population of 1 is representative.
Note it could eg. be exempting those where there is an Android smartphone using the same IP address logged in on this account (as they are constantly contacting Google). Yet that's not something available for Wikimedia to use.
and nobody cries.
It doesn't mean they like it or that such emails are actually useful (how good is a security notification you don't read?). Also, I would consider wikipedians much more vocals than Google users (mainly because Google pays little attention to that, though).
Rather than continuing working with assumptions or comparisons with Google, I think actual data on the accuracy of the extension should be gathered.
Comment Actions
Maybe I just do not understand you. But how different can be an algorithm:
- Save each IP you ever were connected from.
- Put a cookie to each device you ever connected from.
- On each login, if the IP is not in the list and also if there is no cookie on this device, send a mail.