Page MenuHomePhabricator

Allow using a bot password with base username
Closed, ResolvedPublic

Description

Bot passwords were created with the goal of providing a safe login option for people who are stuck with old bot code, but they don't quite achieve that: most bots will have a single "username" config option and it will be assumed that that is both the login username and the user account name (for finding the userpage etc). E.g. Pywikibot can't quite handle bot passwords because of this, according to @jayvdb.

Google's application passwords use the normal username and a special password; we should do the same and allow login with normal username and bot password. The @botname postfix is still useful for password management but should not be required when using the login API so bot frameworks do not have to be aware of it.

Event Timeline

Tgr created this task.Aug 6 2016, 6:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2016, 6:46 PM
Anomie triaged this task as Low priority.Aug 7 2016, 6:38 PM
Anomie added a project: Security-Core.

OTOH, that means an attacker can try to guess every bot password for the user at once, and it means comparing with an arbitrarily large number of passwords on an API action=login. Security-Team should be asked for input here.

Considering that people really should be using OAuth instead anyway, and it should be relatively easy for the client to either have separate configuration, strip the @botname itself, or just use the username returned by a successful action=login, I'm more inclined to suggest that the client be fixed to handle the situation.

Tgr added a comment.Aug 15 2016, 7:21 PM

The goal of bot logins is to be able to plug it in into any old unmaintained code without having to update the code. If bot frameworks need to be fixed so that they can use bot passwords, that kind of defeats the purpose.

Given that bot passwords are random 160-bit keys I hardly see any security problem with that. Limits of theoretical possibility are around 2^60-ish attempts even for offline password cracking, and it's unlikely that any user would have more than 2^100 bot passwords.

It might slow down unsuccessful logins and successful bot logins (which omit the @... postfix) a bit since the password has to be hashed several times. I think that's acceptable but if not at least a single postfixless password should be allowed.

For reference and interconecability. The two BotPasswords issues on pywikibot (AFAIK)
T142623, T143417

Change 306133 had a related patch set uploaded (by Gergő Tisza):
[POC] Allow putting the app ID in the password for bot passwords

https://gerrit.wikimedia.org/r/306133

Tgr added a comment.Aug 23 2016, 3:05 AM

https://gerrit.wikimedia.org/r/306133 is rather ugly but should be free of security and performance problems.

Change 306133 merged by jenkins-bot:
Allow putting the app ID in the password for bot passwords

https://gerrit.wikimedia.org/r/306133

Tgr closed this task as Resolved.Oct 7 2016, 3:52 AM
Tgr claimed this task.

It seems to me that when creating a bot password I should be required to type my account password before proceeding in the same way I have to prior to changing my account password.

Tgr added a comment.May 9 2017, 7:24 PM

See T136101. It should probably set a non-null security level though.

Change 388256 had a related patch set uploaded (by Reedy; owner: Gergő Tisza):
[mediawiki/core@REL1_27] Allow putting the app ID in the password for bot passwords

https://gerrit.wikimedia.org/r/388256

Change 388256 merged by jenkins-bot:
[mediawiki/core@REL1_27] Allow putting the app ID in the password for bot passwords

https://gerrit.wikimedia.org/r/388256