Page MenuHomePhabricator
Create Task
Maniphest T153454

Enable BotPasswords (or similar feature) for web/interactive access
Closed, DeclinedPublic
Actions

Description

Hi,
I edit from public computers sometime. But this increase likehood of breaking into my account. As I hold advanced privilegies this can make huge damage which can't be easily reverted (bureaucrat+sysop rights) I wish to limit grants per used password. Yes, I have long, random and unique password, yes, I change it sometime, yes, I have enabled 2FA

Botpasswords was enabled recently. I'd like to have a similar feature which will allow me to generate/enter additional password for my account and I will be able to limit grants.

E.g. I login with Martin Urbanec as username and 123 as password, I will be able to do everything what my account allows me to do (currently bureaucrat and sysop rights). But when I login with Martin Urbanec as username and Test@987 as password, I will be able to do everything a normal user is (edit, move, etc.) or whatever I'll allow to do this another password.

Yes, I can create additional account but this don't allow me to access my watchlist, it count my public and private edits separatly etc.

Thank you for considering this feature-request.

Best,
Martin Urbanec

Related Objects

Event Timeline

Urbanecm created this task.Dec 16 2016, 1:50 PM
Restricted Application added a project: User-Urbanecm. · View Herald TranscriptDec 16 2016, 1:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Urbanecm moved this task from Backlog to Watching on the User-Urbanecm board.Dec 16 2016, 1:51 PM
Urbanecm updated the task description. (Show Details)Dec 20 2016, 11:59 AM
Urbanecm updated the task description. (Show Details)Feb 9 2017, 4:24 PM
Urbanecm added a comment.Apr 14 2017, 10:56 AM

May somebody have a look at this?

Legoktm subscribed.Apr 14 2017, 11:06 AM

Any account can use bot passwords? There's no limitation that restricts it only to bots.

Urbanecm added a comment.Apr 14 2017, 11:19 AM

You didn't understand me. Yes, I can use botpassword but I mean new similar feature.

I want my account to have multiple passwords and limiting available grants per this password as in botpassword feature.

In another words: I can't create a botpassword and login by Special:Login with this botpassword.

And why? For increased security for example when editing from public computers without any other account.

Urbanecm added a comment.Oct 27 2017, 8:29 PM

Any chance to get this implemented sometime? ;)

Xaosflux added a subscriber: Rehman.Feb 13 2018, 4:13 AM
Xaosflux subscribed.

Another parallel request on enwiki from @Rehman : https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(idea_lab)&oldid=825396470#Separate_password_for_logging_in_with_limited_access

Xaosflux added a comment.Feb 13 2018, 4:15 AM

In reading, this would basically be BotPasswords - but also allowing interactive WEB editing. Perhaps that could just be another grant on the exiting system?

Rehman added a comment.Feb 13 2018, 4:19 AM

Really looking forward to this being implemented in the future. It's quite a significant feature in terms of security and user experience. Thanks Xaosflux, for pointing me this page :)

Xaosflux renamed this task from Enable BotPasswords (or similar feature) for non-bot accounts to Enable BotPasswords (or similar feature) for web/interactive access.Feb 13 2018, 4:24 AM
Xaosflux added a subscriber: Tgr.

@Tgr - Would you mind commenting on the feasibility of this and/or if it fits a planned strategy (or if there is a competing strategy already?). Thank you.

Tgr added a project: Security-General.Feb 13 2018, 6:30 AM

Bot passwords were created specifically to circumvent security features that would cause problems for legacy bots (like 2FA or login notifications) so it makes little sense to use them for increased security. Also they are not really compatible with CentralAuth as each has its own session provider.

Hacking a botpassword-like feature on top of CentralAuth would not be too hard, as the core functionality is built into SessionManager; you'd only have to duplicate the bot password management UI and modify the login logic to handle the alternative password. It would be kind of inelegant though - limited-permission accounts have nothing to do with CentralAuth, it would make just as much sense to use them with the private wikis (core auth) or wikitech (LdapAuth). I'm not sure how one would go about adding that functionality in a way that's orthogonal to authentication and session providers.

Urbanecm moved this task from Watching to Created on the User-Urbanecm board.Apr 23 2018, 11:26 AM
Framawiki subscribed.May 20 2018, 12:43 PM
Urbanecm added a comment.May 30 2018, 4:47 AM

If this is implemented as allowing botpasswords via web as well, why not, but then choosing own botpasswords will be a must. Otherwise, I'll have to open my password manager (LastPass) either on another computer I trust (why I'm editing on the public one then?) or on mobile or on the public computer itself (which will throw away almost any security improvement, because the keylogger can capture my LastPass password [or I can use one time login codes, that's why only almost] or simply download all my passwords since I'm authenticated). And even when using first two ways, I'd have to copy the bot password manually instead of clipboard or write it from my memory.

BethNaught subscribed.Jul 9 2018, 3:56 PM
Ajraddatz subscribed.Jul 9 2018, 5:26 PM

I really hope that none of this would be mandatory. I'm personally a fan of efficiency and proportionate security responses, of which this is not one.

Xaosflux added a comment.Jul 9 2018, 9:42 PM

@Ajraddatz my hopes would be that it would be like botpasswords, where basically you could log on with multiple passwords if you opt in to it, and when you opt in to it you can choose what access is available under your opt. You could lock certain passwords to certain IP's, make some edit-only, etc. Put everything entirely in control of the editor.

Krenair subscribed.Jul 9 2018, 9:43 PM
Ajraddatz added a comment.Jul 10 2018, 3:04 AM

Thanks. I have no concerns if this is left to individual users to decide what hoops they want to create for themselves.

Urbanecm mentioned this in T201784: Implement option "require two-factor authentication only for dangerous actions".Aug 15 2018, 11:05 AM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
Urbanecm removed a project: User-Urbanecm.Oct 10 2018, 11:08 AM
Liuxinyu970226 awarded a token.Nov 11 2018, 6:49 AM
Liuxinyu970226 subscribed.
Xaosflux added a comment.Nov 19 2018, 1:44 PM

Listed on the CWL Survey for 2019, feel free to add support here: https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2019/Admins_and_patrollers/Allow_De-Privileged_logons_to_webui

Urbanecm added a comment.Nov 19 2018, 2:07 PM

Thank you @Xaosflux, {{support}}ed.

AfroThundr3007730 subscribed.Nov 26 2018, 12:58 AM
Xaosflux added a comment.Nov 30 2018, 7:31 PM

Was ranked #52 in the https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2019 with 44 votes

Tgr added a comment.Dec 1 2018, 6:56 AM

I have proposed sort of the reverse of this: T210909: Introduce secure mode to MediaWiki

Urbanecm added a comment.Dec 1 2018, 11:50 PM

I see those two tasks as separate and we can do both of them. I don't see those two tasks as reverse of each other.

stwalkerster awarded a token.Feb 8 2019, 11:43 PM
stwalkerster subscribed.
Ivanhercaz subscribed.Feb 9 2019, 11:43 AM
chasemp triaged this task as Medium priority.Dec 9 2019, 5:20 PM
Aklapper removed a project: Security-General.Dec 13 2019, 10:46 AM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
AntiCompositeNumber subscribed.Feb 22 2020, 12:39 AM
taavi subscribed.Jun 6 2020, 9:07 AM
Ladsgroup subscribed.Aug 12 2024, 7:56 PM
Nemoralis subscribed.Feb 17 2026, 8:36 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptFeb 17 2026, 8:36 PM
Nemoralis awarded a token.Feb 17 2026, 8:36 PM
matmarex moved this task from Inbox, needs triage to Not planned / Patches welcome on the MediaWiki-Platform-Team board.Feb 23 2026, 3:57 PM
matmarex moved this task from Not planned / Patches welcome to Inbox, needs triage on the MediaWiki-Platform-Team board.
Tgr added a comment.Mar 8 2026, 1:57 PM
In T153454#4791681, @Urbanecm wrote:

I see those two tasks as separate and we can do both of them. I don't see those two tasks as reverse of each other.

Technically you could do both but it seems pointless. One lets you login into an alternative account with scope restrictions; the other makes scope restrictions default (with less fine-grained control) and you essentially need to log in again to access extra permissions. In terms of password theft, WebAuthn offers a superior alternative compared to alternative passwords; in terms of session theft, if the default session has limited privileges, that's on par with this proposal, except it has the power of the default.

I think there's consensus that we want some kind of "sudo mode" where you explicitly need to opt in (via some mechanism that a malicious script that just took over your browser cannot easily use) to user your more dangerous rights like checkuser. IMO the key differences for this proposal are:

  1. It's opt-in, rather than forced on you.
  2. It would reuse the grants mechanism so the user has finegrained control over what permissions are considered sensitive.
  3. It would use a dedicated set of login credentials as the mechanism, rather than the system sending the user through a challenge (probably login with the normal credentials, although in theory it could be something different) when needed, or maybe when explicitly starting it by pressing a sudo button.

I think those are all inferior choices today (though not necessarily at the time the task was filed, when our 2FA support was poor):

  1. Preventing privileged access from XSS is a key security feature, so we definitely need it to be non-optional. At best this proposal could only work if another, non-optin feature is implemented alongside it, but that would make it superfluous and confusing.
  2. Having to figure out grants seems like an unnecessary chore to me. I don't think there's much use case for personalising which privileges need protection.
  3. The third one is more debatable, but using login credentials seems both invonvenient to me (why not use just a checkbox, then? WebAuthn will protect against credential theft), and less flexible than a session flag (e.g. what if you want support for cross-wiki actions? bot passwords require logging in separately for each wiki).

So, I'd decline this.

Michael subscribed.Mar 10 2026, 2:23 PM
Krinkle closed this task as Declined.Mar 10 2026, 4:05 PM
Krinkle subscribed.

Declining per Gergo. This was originally filed before we had 2FA and the safemode user preference. See also T197137 where we require re-authentication before JS edits, and where BotPasswords being limited to API login sessions is something we want to build on and depend on.

We welcome new tasks for specific use cases though, but we may want to approach them differently and/or find existing solutions.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits