Page MenuHomePhabricator
Create Task
Maniphest T145952

Reduce password reset spam
Open, Needs TriagePublic
Actions

Description

Some users with short and obvious usernames get very many unsolicited password reset emails. User:Angela reports getting 6 in the last 28 days and considers this to be a typical rate. The assumed cause is people with the same name believing (or suspecting) they are the legitimate owner of the account.

Possible solutions:

  • Opt in to a security question. The security question must be answered correctly before the password reset mail is sent.
  • Opt in to two-step verification, and then disallow password reset through email if two-step verification has been used within the last X days.
  • Opt out of one of the password reset routes (by username / by email), while still allowing the other.

Also possible (though debated by some contributors, see below):

  • Allow users to simply opt out from password reset mails. The user promises not to forget their password.

Related Objects

Event Timeline

tstarling created this task.Sep 18 2016, 4:39 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 18 2016, 4:39 AM
Huji updated the task description. (Show Details)Oct 3 2016, 10:04 PM
Huji subscribed.

Tim, I removed option 2 (show partial email address) for privacy concerns (the partial email can potentially reveal someone's name, for instance). I also removed option 3 because it is not solving the problem, but eliminating it.

I also added an alternative about two-step verification.

tstarling updated the task description. (Show Details)Nov 15 2016, 10:09 PM

What is wrong with eliminating the problem?

Huji added a comment.Nov 15 2016, 10:14 PM

It is shortsighted. Imagine we implement this. Then I promise not to forget my password, and ask for password reset to be disabled for me. Late, someone hacks into my account and changes the password. I have no way to take it back.

So you eliminate a problem by introducing other contingencies. That is not strategic.

Huji updated the task description. (Show Details)Nov 15 2016, 10:15 PM
matmarex updated the task description. (Show Details)Nov 15 2016, 10:16 PM
Jorm subscribed.Nov 15 2016, 11:11 PM

I would very much like to have this spam reduced. While my username isn't a common name (like Angela), it is _short_ (4 characters). If I had my druthers, I'd prefer the security question as it is least invasive to the user from a day-to-day operational standpoint.

Ladsgroup subscribed.Nov 16 2016, 5:48 AM
demon unsubscribed.Nov 25 2016, 10:07 PM
Scott mentioned this in T189492: Remove "probably you" from password reset notification email.Mar 12 2018, 2:35 PM
Jdforrester-WMF subscribed.May 3 2018, 11:36 PM
Elitre subscribed.May 4 2018, 4:43 PM
xSavitar awarded a token.Nov 4 2018, 10:41 AM
xSavitar added a subscriber: revi.
xSavitar subscribed.

This happened to me today :(. Thanks @revi for https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2019/Anti-harassment/Add_an_option_to_require_email_address_and_username_to_reset_password. :)

Elitre unsubscribed.Nov 8 2018, 4:54 PM
Liuxinyu970226 subscribed.Nov 11 2018, 6:50 AM
AfroThundr3007730 subscribed.Nov 26 2018, 1:41 AM
RhinosF1 subscribed.Apr 8 2019, 3:34 PM
Niharika mentioned this in T225872: not possible to set email when email blocked.Jun 21 2019, 9:24 PM
alaa awarded a token.Jun 24 2019, 4:50 PM
alaa subscribed.
Reedy edited subscribers, added: Reedy, sbassett; removed: dpatrick.Aug 27 2019, 4:31 PM

I note when someone is implementing this... under T230436 and by Community-Tech

Logging should be put in place so we can see the state of things (ip/user X requested reset for Y etc)... And we should be putting in a rate limiter to prevent one user/ip doing a loooad of requests

Both should be relatively easy to do while working in the area

Reedy mentioned this in T231495: Password Reset: Add Preference for Password Reset Behind Feature Flag.Sep 11 2019, 5:26 PM
Reedy mentioned this in T232738: Add logging and throttling to PasswordReset workflow.Sep 12 2019, 12:46 PM
TheresNoTime removed a subscriber: RhinosF1.Dec 15 2022, 11:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL