Page MenuHomePhabricator

Reduce password reset spam
Open, Needs TriagePublic


Some users with short and obvious usernames get very many unsolicited password reset emails. User:Angela reports getting 6 in the last 28 days and considers this to be a typical rate. The assumed cause is people with the same name believing (or suspecting) they are the legitimate owner of the account.

Possible solutions:

  • Opt in to a security question. The security question must be answered correctly before the password reset mail is sent.
  • Opt in to two-step verification, and then disallow password reset through email if two-step verification has been used within the last X days.
  • Opt out of one of the password reset routes (by username / by email), while still allowing the other.

Also possible (though debated by some contributors, see below):

  • Allow users to simply opt out from password reset mails. The user promises not to forget their password.

Event Timeline

Huji subscribed.

Tim, I removed option 2 (show partial email address) for privacy concerns (the partial email can potentially reveal someone's name, for instance). I also removed option 3 because it is not solving the problem, but eliminating it.

I also added an alternative about two-step verification.

What is wrong with eliminating the problem?

It is shortsighted. Imagine we implement this. Then I promise not to forget my password, and ask for password reset to be disabled for me. Late, someone hacks into my account and changes the password. I have no way to take it back.

So you eliminate a problem by introducing other contingencies. That is not strategic.

I would very much like to have this spam reduced. While my username isn't a common name (like Angela), it is _short_ (4 characters). If I had my druthers, I'd prefer the security question as it is least invasive to the user from a day-to-day operational standpoint.

I note when someone is implementing this... under T230436 and by Community-Tech

Logging should be put in place so we can see the state of things (ip/user X requested reset for Y etc)... And we should be putting in a rate limiter to prevent one user/ip doing a loooad of requests

Both should be relatively easy to do while working in the area