Improve failed login notifications in LoginNotify extension
Closed, ResolvedPublic3 Story Points

Description

Here are the current notifications:


Currently it provides a link under the notification text to your own user page.

Icon:

  • The lock icon should be replaced by the user avatar icon, to indicate that the notification is about a user. (You may need to copy this icon into the Echo extension.)

Web notifications:

  • Make the messages for the 2 failed login notifications the same (both in the web notifications and email notifications):
There have been (#) failed attempts to log in to your account since the last time you logged in. If this was you, then you can disregard this message. It it wasn't, you should consider changing your password.

Email notifications:

"There {{PLURAL:$2|has been a failed attempt|have been $2 failed attempts}} to log in to your account '$1' on {{SITENAME}}. If this was you, then you can disregard this message. If it wasn't, you should consider changing your password."

kaldari created this task.Mar 9 2017, 2:10 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 9 2017, 2:10 AM
kaldari triaged this task as Normal priority.Mar 9 2017, 2:11 AM

The lock icon looks like a shopping bag. This should be replaced by something approved by a WMF designer.

Whether to use a lock icon at all might be questionable, but for starters the OOjs UI 'lock' icon is much better.

kaldari moved this task from Untriaged to Epic backlog on the Community-Tech board.Mar 9 2017, 6:15 PM
DannyH added a comment.Mar 9 2017, 7:35 PM

For the icon on the left, we could reuse the person sillhouette that's next to the username -- it would indicate that the notice is username-related.

I want to edit the second message:
Current: There have been three failed attempts to login to your account from a computer you have not edited from recently, since the last time you logged in.
New version: There have been three failed attempts to login into your account since the last time you logged in.

I might want to edit the third message too, I'm thinking about wording.

I think there should be a link to a Mediawiki.org help page, explaining what the message means and what you should do about it. How about putting a link at the end of the warning text that says (more info) in a smaller font?

What do the email notifications look like?

Yes, I recommend a help page link as opposed to a MediaWiki.org link or user page.

As for the copy in the third message — Someone has successfully logged into your account from a device on which you have never edited. — Unless 'recently' is literal, in which case I would suggest Someone has successfully logged into your account from a device on which you have not recently edited.

We should probably use 'device' instead of 'computer' — right?

How about "Someone has successfully logged into your account from an unfamiliar device"?

Here's warnings from other sites:

Facebook:

Twitter:

Google:

Should we talk to Security/IT about what advice to give people?

Maybe we don't need the more info link/Help page.

I think the only thing we want to say is: -- If this was you, then don't worry about it. If it wasn't you, then we'd suggest changing your password. --

So we could just put that in the notification. What do you think?

@DannyH, Hmm, if someone logged in to your account from some other IP/computer then changing the password won't help much, I suppose.

@kaldari Do you know if we have something to logout of all active sessions or something similar like other websites?

@Niharika If you change your password, then they won't be able to use it to log in next time.

@DannyH, but they are already in. So they can mess with pretty much everything.

@Niharika Would time travel help?

😆
@DannyH: What most websites do is to allow you to log yourself out of all active sessions. So the invader would immediately find himself logged out and unable to do anything. This should probably already exist in MediaWiki and if not, we should consider adding it to the extension because without it, it seems quite unhelpful.

kaldari added a comment.EditedMar 10 2017, 2:53 AM

Current: There have been three failed attempts to login to your account from a computer you have not edited from recently, since the last time you logged in.
New version: There have been three failed attempts to login into your account since the last time you logged in.

@DannyH: So you are suggesting that we only have a single failed login notification (that uses the same text regardless of whether it was from a familiar device or an unfamiliar device)? I think that's a good idea as it makes it less confusing.

Yeah, I think one message for failed login would make life easier. On our end, we can choose different thresholds for known IPs and new IPs, but the user doesn't need to know those details.

DannyH updated the task description. (Show Details)Mar 14 2017, 8:55 PM
DannyH moved this task from Epic backlog to To be estimated/discussed on the Community-Tech board.
kaldari renamed this task from Improve notifications in LoginNotify extension to Improve failed login notifications in LoginNotify extension.Mar 14 2017, 11:23 PM
kaldari updated the task description. (Show Details)
kaldari set the point value for this task to 3.Mar 14 2017, 11:26 PM
kaldari edited projects, added Community-Tech-Sprint; removed Community-Tech.
DannyH updated the task description. (Show Details)Mar 14 2017, 11:27 PM
DannyH updated the task description. (Show Details)
kaldari raised the priority of this task from Normal to High.Mar 14 2017, 11:28 PM
DannyH removed DannyH as the assignee of this task.Mar 14 2017, 11:30 PM
DannyH added a subscriber: DannyH.
kaldari updated the task description. (Show Details)Mar 15 2017, 12:09 AM
kaldari updated the task description. (Show Details)Mar 15 2017, 12:20 AM
kaldari updated the task description. (Show Details)
kaldari updated the task description. (Show Details)Mar 15 2017, 12:22 AM
kaldari updated the task description. (Show Details)Mar 16 2017, 5:59 PM
MusikAnimal claimed this task.
DannyH updated the task description. (Show Details)Mar 17 2017, 9:06 PM
MZMcBride updated the task description. (Show Details)Mar 17 2017, 9:10 PM
MZMcBride added a subscriber: MZMcBride.
kaldari updated the task description. (Show Details)Mar 17 2017, 10:40 PM

@DannyH: I was thinking some more about the notifications for failed log-ins (while testing MusikAnimal's patch), and I was wondering if maybe we should give the user more specific advice, like:

There have been X failed attempts to log in to your account since the last time you logged in. If this was you, then you can disregard this message. If it wasn't, please make sure your account has a strong password.

Currently, we tell them to consider changing their password, which could actually make it worse (and wouldn't make sense for people who already have good unique passwords).

Gradzeichen added a subscriber: Gradzeichen.EditedMar 23 2017, 9:49 AM
I was wondering if maybe we should give the user more specific advice, like:  ... If it wasn't, please make sure your account has a strong password.

To actually change the password an user has to go to the page Special:ChangeCredentials/MediaWiki\Auth\PasswordAuthenticationRequest

This page contains a text field (changecredentials-summary) -- but it contains no text. This field could easily be filled with a text like: "Please enter a strong and unique password" No programming is required and everyone who sets or changes a password would profit.

see: T122124 Tell users to use a unique password when creating an account.

@kaldari Yes, that's a really good thought. Let's do that.

Change 343332 merged by jenkins-bot:
[mediawiki/extensions/LoginNotify@master] Simplify messages in login notification, still having two separate messages so wikis can configure them as desired.

https://gerrit.wikimedia.org/r/343332

kaldari closed this task as Resolved.Mar 23 2017, 6:04 PM
kaldari moved this task from Needs Review/Feedback to Done on the Community-Tech-Sprint board.