Page MenuHomePhabricator

Reduce password reset spam
Open, Needs TriagePublic

Description

Some users with short and obvious usernames get very many unsolicited password reset emails. User:Angela reports getting 6 in the last 28 days and considers this to be a typical rate. The assumed cause is people with the same name believing (or suspecting) they are the legitimate owner of the account.

Possible solutions:

  • Opt in to a security question. The security question must be answered correctly before the password reset mail is sent.
  • Opt in to two-step verification, and then disallow password reset through email if two-step verification has been used within the last X days.
  • Opt out of one of the password reset routes (by username / by email), while still allowing the other.

Also possible (though debated by some contributors, see below):

  • Allow users to simply opt out from password reset mails. The user promises not to forget their password.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 18 2016, 4:39 AM
Huji updated the task description. (Show Details)Oct 3 2016, 10:04 PM
Huji added a subscriber: Huji.

Tim, I removed option 2 (show partial email address) for privacy concerns (the partial email can potentially reveal someone's name, for instance). I also removed option 3 because it is not solving the problem, but eliminating it.

I also added an alternative about two-step verification.

tstarling updated the task description. (Show Details)Nov 15 2016, 10:09 PM

What is wrong with eliminating the problem?

Huji added a comment.Nov 15 2016, 10:14 PM

It is shortsighted. Imagine we implement this. Then I promise not to forget my password, and ask for password reset to be disabled for me. Late, someone hacks into my account and changes the password. I have no way to take it back.

So you eliminate a problem by introducing other contingencies. That is not strategic.

Huji updated the task description. (Show Details)Nov 15 2016, 10:15 PM
matmarex updated the task description. (Show Details)Nov 15 2016, 10:16 PM
Jorm added a subscriber: Jorm.Nov 15 2016, 11:11 PM

I would very much like to have this spam reduced. While my username isn't a common name (like Angela), it is _short_ (4 characters). If I had my druthers, I'd prefer the security question as it is least invasive to the user from a day-to-day operational standpoint.

demon removed a subscriber: demon.Nov 25 2016, 10:07 PM
Elitre added a subscriber: Elitre.May 4 2018, 4:43 PM
Elitre removed a subscriber: Elitre.Nov 8 2018, 4:54 PM
alanajjar added a subscriber: alanajjar.