Allow more than 1 password reset per 24 hours
Open, Needs TriagePublic


Created from OTRS ticket #9205643

I recently tried to reset my password and I put in the wrong email address when I tried to reset my password. Since I used the wrong email address Wikipedia did not send me a password reset code. I went back and input my other email address and tried to reset my password but I received an error message saying that I couldn't attempt to reset my password for another 24 hours.

I understand you want to reduce fraud and avoid hackers using robots to hack into peoples accounts, however, I think allowing one try per 24 hours is overly restrictive. Most sites allow at least three attempts before locking accounts. I suggest Wikipedia do the same.

See Also: T54839: 24 hour Reset password email lock should not be set if sending the email failed

Samtar created this task.Jun 4 2016, 9:50 AM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJun 4 2016, 9:50 AM
Aklapper renamed this task from Feature suggestion: Allow more than 1 password reset per 24 hours to Allow more than 1 password reset per 24 hours.Jun 6 2016, 9:54 AM
Aklapper updated the task description. (Show Details)
Krenair added a subscriber: Krenair.Jun 6 2016, 4:08 PM

MediaWiki's defaults include $wgPasswordReminderResendTime = 24;, I think maybe Wikimedia should just override that, or we could move it down to something more like 8 hours.

Aklapper added a subscriber: Danny_B.

[ This is not Security-Reviews per its project description, hence removing ]

Florian added a subscriber: Florian.Jun 7 2016, 5:29 PM
Bawolff added a subscriber: Bawolff.Jun 8 2016, 2:49 AM

I think maybe it makes more sense to allow 3 tries in a 24 hour period, instead of reducing the length of the period. After all, if you make a typo, you probably don't want to wait 8 hours anymore than you want to wait 24 hours to try again

Danny_B removed a subscriber: Danny_B.Jun 8 2016, 11:41 AM