Page MenuHomePhabricator
Create Task
Maniphest T142304

Allow using a bot password with base username
Closed, ResolvedPublic
Actions

Description

Bot passwords were created with the goal of providing a safe login option for people who are stuck with old bot code, but they don't quite achieve that: most bots will have a single "username" config option and it will be assumed that that is both the login username and the user account name (for finding the userpage etc). E.g. Pywikibot can't quite handle bot passwords because of this, according to @jayvdb.

Google's application passwords use the normal username and a special password; we should do the same and allow login with normal username and bot password. The @botname postfix is still useful for password management but should not be required when using the login API so bot frameworks do not have to be aware of it.

Details

SubjectRepoBranchLines +/-
Allow putting the app ID in the password for bot passwordsmediawiki/coreREL1_27+76 -10
Allow putting the app ID in the password for bot passwordsmediawiki/coremaster+76 -10
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Aug 6 2016, 6:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2016, 6:46 PM
Anomie triaged this task as Low priority.Aug 7 2016, 6:38 PM
Anomie added a project: Security-Core.

OTOH, that means an attacker can try to guess every bot password for the user at once, and it means comparing with an arbitrarily large number of passwords on an API action=login. Security-Team should be asked for input here.

Considering that people really should be using OAuth instead anyway, and it should be relatively easy for the client to either have separate configuration, strip the @botname itself, or just use the username returned by a successful action=login, I'm more inclined to suggest that the client be fixed to handle the situation.

Tgr added a comment.Aug 15 2016, 7:21 PM

The goal of bot logins is to be able to plug it in into any old unmaintained code without having to update the code. If bot frameworks need to be fixed so that they can use bot passwords, that kind of defeats the purpose.

Given that bot passwords are random 160-bit keys I hardly see any security problem with that. Limits of theoretical possibility are around 2^60-ish attempts even for offline password cracking, and it's unlikely that any user would have more than 2^100 bot passwords.

It might slow down unsuccessful logins and successful bot logins (which omit the @... postfix) a bit since the password has to be hashed several times. I think that's acceptable but if not at least a single postfixless password should be allowed.

Lokal_Profil subscribed.Aug 19 2016, 2:58 PM

For reference and interconecability. The two BotPasswords issues on pywikibot (AFAIK)
T142623, T143417

gerritbot subscribed.Aug 23 2016, 3:03 AM

Change 306133 had a related patch set uploaded (by Gergő Tisza):
[POC] Allow putting the app ID in the password for bot passwords

https://gerrit.wikimedia.org/r/306133

gerritbot added a project: Patch-For-Review.Aug 23 2016, 3:03 AM
Tgr added a comment.Aug 23 2016, 3:05 AM

https://gerrit.wikimedia.org/r/306133 is rather ugly but should be free of security and performance problems.

gerritbot added a comment.Sep 13 2016, 12:38 AM

Change 306133 merged by jenkins-bot:
Allow putting the app ID in the password for bot passwords

https://gerrit.wikimedia.org/r/306133

ReleaseTaggerBot added projects: MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-09-13_(1.28.0-wmf.19)).Sep 13 2016, 1:00 AM
Tgr closed this task as Resolved.Oct 7 2016, 3:52 AM
Tgr claimed this task.
Tgr mentioned this in T124466: Support logging in with Special:BotPassword passwords.
Jamesmontalvo3 subscribed.May 9 2017, 6:11 PM

It seems to me that when creating a bot password I should be required to type my account password before proceeding in the same way I have to prior to changing my account password.

Tgr added a comment.May 9 2017, 7:24 PM

See T136101. It should probably set a non-null security level though.

gerritbot added a comment.Nov 2 2017, 11:05 PM

Change 388256 had a related patch set uploaded (by Reedy; owner: Gergő Tisza):
[mediawiki/core@REL1_27] Allow putting the app ID in the password for bot passwords

https://gerrit.wikimedia.org/r/388256

gerritbot added a comment.Nov 2 2017, 11:16 PM

Change 388256 merged by jenkins-bot:
[mediawiki/core@REL1_27] Allow putting the app ID in the password for bot passwords

https://gerrit.wikimedia.org/r/388256

ReleaseTaggerBot added a project: MW-1.27-release-notes.Nov 3 2017, 12:00 AM
Anomie mentioned this in T137805: API action=login is deprecated.Jun 10 2019, 7:25 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL