Why should we do this?

Maybe CheckUser extension can be modified it does this work.

bloody brilliant

This task is missing a description of an underlying problem and instead only asks for one (potential) solution.
Please describe which problem is there to solve. Thanks!

Hi Aklapper,

Why should we do this?

This is needed for security, so that if an account was compromised at a point to view something but not to perform any action I noticed in my contributions, I can observe the time and IP of the login in the login history, and change the password.

https://support.google.com/mail/answer/45938?hl=en - how Gmail has this feature.

This may be useful for privileged accounts, such as with sysop or oversight access.

I remove the MediaWiki-Core-AuthManager tag, as this is already possible with the AuthManager framework. You simply need to subscribe to the login audit hooks (https://www.mediawiki.org/wiki/Manual:Hooks/AuthManagerLoginAuthenticateAudit or https://www.mediawiki.org/wiki/Manual:Hooks/LoginAuthenticateAudit for pre 1.27.0) and do whatever you want to do there (e.g. log the failed/succeeded login attempt into something or somewhere). This, however, should be an extension and not part of MediaWiki core I think. If you want to implement that, you can probably take a look at the LoginNotify extension: https://github.com/wikimedia/mediawiki-extensions-LoginNotify

One or two remarks, though:

In T152157#2980741, @Gryllida wrote:

This may be useful for privileged accounts, such as with sysop or oversight access.

I would strongly disagree with this statement. I can't see any benefit for members of this groups, but I see some potential problems with privacy, e.g., as you, as a member of this group, have the ability to silently see, when (and maybe from where and with what device) a user has logged in or used a false password or whatever. This could also allow you to create geographical profiles or expose the devices the user regulary uses (if the UserAgent is saved, too) or what browser he's using. If something like this is implemented I would say, that the user is the only one who should be allowed to see his own login events (failed or succeeded).

This is needed for security, so that if an account was compromised at a point to view something but not to perform any action I noticed in my contributions, I can observe the time and IP of the login in the login history, and change the password.

This can probably also be achieved already with the already mentioned LoginNotify extension, without saving a lot of data :) And, even if the login attempts are saved, you, as a used, would be required to regulary check the logs to see, if there's activity from other persons than you, which sounds like no-one would do that. So you would need to put something like a "your last successful login was at ... from ..." at a very prominent position. Where would that be? Or you just warn the user, when he logged in and the last login attempt was a failure, or the activity looks like an abuse or whatever. This, however, sounds again like the LoginNotify extension :)

We should log history of users' logins.

Log user agent string, time, IP of successful logins on ALL wikis.

Make it view-able in account info each wiki.

Just for the record, the first 2 are done in a wikimedia context (The "badpass" logging channel). Its just not viewable by non developers (The log is either in https://logstash.wikimedia.org or a text file on the mwlog1001 server).

Well, it looks like a dupe or a config change request. $wgCheckUserLogLogins exist (https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/CheckUser/+/408049/ and T174492: Log unsuccessful login attempts in CheckUser) and enabling should be technically easy both on Wikimedia and on non Wikimedia wikis. To be honest, I don't know why this isn't enabled on Wikimedia wikis.

@Urbanecm see T253802: Configure WMF wikis to log login attempts in CheckUser