Page MenuHomePhabricator

Email by default when someone tries to log in to your account?
Closed, DeclinedPublic

Description

T174263 has asked for email notifications for LoginNotify to be turned on by default. We should ask a couple of other communities to test the waters.

Event Timeline

Johan created this task.Aug 30 2017, 3:08 PM
Restricted Application added a project: User-Johan. · View Herald TranscriptAug 30 2017, 3:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Johan updated the task description. (Show Details)Aug 30 2017, 3:09 PM
Johan updated the task description. (Show Details)
Johan added a comment.Aug 30 2017, 3:12 PM

Posting something like this:

Hi everyone, we recently turned on [[LoginNotify]], a feature that’ll tell you when someone tries to log in to your account and fails. You’ll get a notification here per default (can be turned off in your preferences), and you can turn on email notifications.
We’re sort of being told by the community that we’re letting the editors down by not having email notifications when someone else tries to log in to your account on by default. The reasons for doing this would be something like this:

  • It’s about their account. It concerns them personally. It’s not emailing them to get their attention to some feature or decision someone else has decided is important.
  • If you don’t want these emails, you can turn them off. If you’re not logged in for a couple of weeks, however, you won’t even be aware of the potential problem. Most editors won’t know LoginNotify exists – they can make the decision to turn it off if they get emails and don’t want them, but they’ll never get the chance to consciously turn it on. A campaign to make sure everyone's aware of LoginNotify would be far more annoying than potentially getting an email about someone else trying to log in to your account.
  • We know a lot of folks have pretty bad password security. They use weak passwords and – worse – they reuse passwords. That puts their accounts at risk and makes this important.
  • If it’s not on by default on all wikis, that’s blocking the security for the wikis that turn it on by default. Then you just need to figure out which wikis don’t have this on by default (the accounts are global, after all), which will be public information, and try to log in there.

Link to other discussions: Hebrew Wikipedia, [[phab:T174263]].
Does this make sense to you?

Johan added a comment.Aug 30 2017, 3:13 PM

I'd pick a couple of wikis from English, Swedish, German, Danish, Norwegian (Bokmål, probably, rather than Nynorsk), mainly because it's easiest for me to follow and take part in discussions in those languages. (:

Hi, @Johan. I can't understand, which feature are you talking about of the two?

Samtar added a subscriber: Samtar.Aug 30 2017, 3:20 PM
Johan added a comment.Aug 30 2017, 3:23 PM

Ah, this was focused on emailing you when someone fails to log in to your account, because that was the focus of my conversation with Danny when he brought this up, but I realise now that the conversation about global default is of course about both LoginNotify email notifications. Sorry.

Ah, this was focused on emailing you when someone fails to log in to your account, because that was the focus of my conversation with Danny when he brought this up, but I realise now that the conversation about global default is of course about both LoginNotify email notifications. Sorry.

The problem is that if somebody did not see notification - it's his problem, but if there is no notifications for worth problem - he can't know somebody succeeded to login.

Qgil added a subscriber: Qgil.Aug 30 2017, 7:05 PM

I'd pick a couple of wikis from English, Swedish, German, Danish, Norwegian (Bokmål, probably, rather than Nynorsk), mainly because it's easiest for me to follow and take part in discussions in those languages. (:

What about standardizing / making a routine about asking for early testers at the Tech Ambassadors mailing list, to give a chance to other projects (other voices, other perspectives) to step in?

I'd pick a couple of wikis from English, Swedish, German, Danish, Norwegian (Bokmål, probably, rather than Nynorsk), mainly because it's easiest for me to follow and take part in discussions in those languages. (:

What about standardizing / making a routine about asking for early testers at the Tech Ambassadors mailing list, to give a chance to other projects (other voices, other perspectives) to step in?

I've been thinking about having a community group of testers who we can approach for getting our tools/extensions beta-tested and getting feedback before we put them out live. I put forth this idea on #wikipedia-en channel a few weeks ago and it was met with enthusiastic response with about four people reaching out to me, requesting to be on such a group. Is Tech Ambassadors basically the same idea? I didn't know what the purpose of that list was.

Johan added a comment.Aug 30 2017, 8:52 PM

I'd pick a couple of wikis from English, Swedish, German, Danish, Norwegian (Bokmål, probably, rather than Nynorsk), mainly because it's easiest for me to follow and take part in discussions in those languages. (:

What about standardizing / making a routine about asking for early testers at the Tech Ambassadors mailing list, to give a chance to other projects (other voices, other perspectives) to step in?

Sure, but not for a task like this, given that this isn't about early testing of a feature – it's in production, and notifications are on by default, so everyone's already using it, so to speak – but simply asking what to do with a specific preference.

Johan added a comment.Aug 31 2017, 7:59 PM

So something like this?

Hi everyone, we recently turned on [[LoginNotify]], a feature that’ll tell you when someone tries to log in to your account and fails. You’ll get a notification here per default (can be turned off in your preferences), and you can turn on email notifications.
We’re sort of being told by the community that we’re letting the editors down by not having email notifications when someone else tries to log in to your account (or logs in from a new place, which could be someone not you taking over your account) on by default. If you accidentally mistype your password from a device or IP that has previously logged in to the account, you need to fail five times before you're notified, so you won't be notified all the time because you slipped on the keyboard.
The reasons for email notifications by default if someone tries to log in and fails:

  • It’s about their account. It concerns them personally. It’s not emailing them to get their attention to some feature or decision someone else has decided is important.
  • If you don’t want these emails, you can turn them off. If you’re not logged in for a couple of weeks, however, you won’t even be aware of the potential problem. Most editors won’t know LoginNotify exists – they can make the decision to turn it off if they get emails and don’t want them, but they’ll never get the chance to consciously turn it on. A campaign to make sure everyone's aware of LoginNotify would be far more annoying than potentially getting an email about someone else trying to log in to your account.
  • We know a lot of folks have pretty bad password security. They use weak passwords and – worse – they reuse passwords. That puts their accounts at risk and makes this important.
  • If it’s not on by default on all wikis, that’s blocking the security for the wikis that turn it on by default. Then you just need to figure out which wikis don’t have this on by default (the accounts are global, after all), which will be public information, and try to log in there.

For the second discussion, about someone successfully logging in to your account from a new place, the reasons are similar.

  • This is the best defence you have if someone succeeds to log in. You'll immediately get an email.
  • If you don’t want these emails, you can turn them off – but most editors won’t know LoginNotify exists – they can make the decision to turn it off if they get emails and don’t want them, but they’ll never get the chance to consciously turn it on. A campaign to make sure everyone's aware of LoginNotify would be far more annoying than potentially getting an email about someone else trying to log in to your account.
  • We know a lot of folks have pretty bad password security. They use weak passwords and – worse – they reuse passwords. That puts their accounts at risk and makes this important.
  • Yet again, if this isn't turned on by default on all wikis, it leaves a very big security hole because all you need to do is find a wiki where this is turned off by default and most editors will not be notified.

Link to other discussions: Hebrew Wikipedia, [[phab:T174263]].
Does this make sense to you?

Well, I already that my oppinion. Email when login fails is something small and not important. The mail message when somebody evil succeeded to log in to your page js the important issue.

I really don't like the line "We’re sort of being told by the community that we’re letting the editors down".

We created and released a new feature; some people are suggesting a change in that feature, so we're reaching out to hear more. That's great and healthy and how this is supposed to work.

"We're sort of being told by the community" means that everyone hates this feature, and we're feeling sheepish and ashamed about it.

The text makes it pretty clear that there's a long list of good and important reasons why we should make the change, and there's no good reason to not make it. If that's the way that we feel about it, we shouldn't bother to have this conversation. Let's just make the change.

Well, I already that my oppinion. Email when login fails is something small and not important. The mail message when somebody evil succeeded to log in to your page js the important issue.

You are assuming that it will (almost) always detect you properly.

Sending an email when someone fails your user password is quite safe, since it stems from a bad action (someone tried to access your account not having the right credentials). Even if it's the actual account owner, he has done something wrong. On a normal usage, there will be zero notifications. And if the owner himself failed to log in, he would have received an error message at that point, and is likely to remember «oh, yes I mistyped my password a couple hours ago».

On the other hand, notification of a successful login by someone not recognised relies on heuristics. A user could be receiving 3-4 email notifications every day, at which point:

  • they are mainly useless, since he won't notice an "evil login" amongst the many emails that the wiki sends him for the proper ones
  • they don't have a way to determine if it was really them or not (as currently they only reveal that "there was a login", you need to match them based on timestamps)
  • they get annoyed at Wikimedia for spamming them

I don't think we should enable it globally without first obtaining data about the number of notifications it would trigger. This could be quite higher than expected.

In order to activate it, I would start by doing something clearer like warning when there is a login from a different country than those you previously connected from. Maybe also down to the AS. Those are quite accurate, and are simple to justify. (note: this is currently not implemented)

.

Another interesting topic would be if it is more or less likely that an account compromise happened guessing the right password at the first attempt, but I guess it will vary greatly depending on the way it was obtained, and if there were still a few bits of entropy that needed guessing.

Sorry, @Platonides, but we have some misunderstanding. I can't see why do you need heuristics to send a mail for successful login on unfamiliar device, and why do you think about 3-4 notifications every day - if you do not buy a new iPhone every hour, it should be once a year, maybe twice.

@IKhitron if the browser is configured to delete the cookies on exit, it will be unfamiliar every time, so you are back to "Did he edit recently from a nearby IP address?".

@IKhitron if the browser is configured to delete the cookies on exit, it will be unfamiliar every time, so you are back to "Did he edit recently from a nearby IP address?".

Well, now I undersfand you. And how these five users across the world do not get such letters from Gmail 3 times every day? Google has the same service, for all clients.

Maybe they do. Perhaps Google is smarter and uses more datapoints/configured differently. They could even not be using Gmail.

@IKhitron if the browser is configured to delete the cookies on exit, it will be unfamiliar every time, so you are back to "Did he edit recently from a nearby IP address?".

Well, now I undersfand you. And how these five users across the world do not get such letters from Gmail 3 times every day? Google has the same service, for all clients.

I can assure you the number of such users is much higher than 5. People use tor and what not to protect their privacy online.

Perhaps Google is smarter and uses more datapoints/configured differently.

Did you check this?

I can assure you the number of such users is much higher than 5. People use tor and what not to protect their privacy online.

So, there are also more users that use this and also Gmail.

Elitre added a subscriber: Elitre.Sep 1 2017, 8:29 AM

I'd pick a couple of wikis from English, Swedish, German, Danish, Norwegian (Bokmål, probably, rather than Nynorsk), mainly because it's easiest for me to follow and take part in discussions in those languages. (:

What about standardizing / making a routine about asking for early testers at the Tech Ambassadors mailing list, to give a chance to other projects (other voices, other perspectives) to step in?

Sure, but not for a task like this, given that this isn't about early testing of a feature – it's in production, and notifications are on by default, so everyone's already using it, so to speak – but simply asking what to do with a specific preference.

Whether to contact a larger or a smaller audience depends on the real needs of the current phase of the project, and I trust Johan's gut with this. I recommend for the future considering a "Community Wishlist" taskforce of people who want to be bugged about ideas etc.

Perhaps Google is smarter and uses more datapoints/configured differently.

Did you check this?

In order to check this, please point me to the repository where I can view the code Google is using.

Anyway, I did notice that -unsurprisingly- they use a different algorithm than us. Prompted by this thread, yesterday I noted that I had been using a logged in session for entering into Gmail (that's all that browser is used for), so I cleared their cookies. Today, it sent me an "Account security alert" on login, despite connecting from the same IP address and using the same browser version. I have to admit not paying much attention to those. Although, given that they appear on top just after you logged in, it is clear that it was generated by your current session. That's a bit different than viewing an email about a login at a different time on a third-party service.

Perhaps Google is smarter and uses more datapoints/configured differently.

Did you check this?

In order to check this, please point me to the repository where I can view the code Google is using.

So, you can't be sure.

Anyway, I did notice that -unsurprisingly- they use a different algorithm than us. Prompted by this thread, yesterday I noted that I had been using a logged in session for entering into Gmail (that's all that browser is used for), so I cleared their cookies. Today, it sent me an "Account security alert" on login, despite connecting from the same IP address and using the same browser version. I have to admit not paying much attention to those. Although, given that they appear on top just after you logged in, it is clear that it was generated by your current session. That's a bit different than viewing an email about a login at a different time on a third-party service.

This means that Google sends even more letters than wiki, and nobody cries.

So, you can't be sure.

Of course not. I'm pretty sure they are using a lot more information into their risk analysis of each login (and then, the action to take -the scores at which they are taken- probably depends on another analysis related to the account properties. For instance, I only seem to have received an login block requiring extra authentication when connecting from a new country). Maybe you should back your claim on T174568#3572025 stating why you consider that both algorithms are comparable.

This means that Google sends even more letters than wiki,

In my case it is sending a fair amount. But I'm not sure a population of 1 is representative.

Note it could eg. be exempting those where there is an Android smartphone using the same IP address logged in on this account (as they are constantly contacting Google). Yet that's not something available for Wikimedia to use.

and nobody cries.

It doesn't mean they like it or that such emails are actually useful (how good is a security notification you don't read?). Also, I would consider wikipedians much more vocals than Google users (mainly because Google pays little attention to that, though).

 

Rather than continuing working with assumptions or comparisons with Google, I think actual data on the accuracy of the extension should be gathered.

Maybe I just do not understand you. But how different can be an algorithm:

  1. Save each IP you ever were connected from.
  2. Put a cookie to each device you ever connected from.
  3. On each login, if the IP is not in the list and also if there is no cookie on this device, send a mail.
Johan moved this task from Backlog to Do now on the User-Johan board.Sep 5 2017, 4:11 AM
Johan closed this task as Declined.Sep 19 2017, 9:27 PM

T174263 has gone forward without this, so this is no longer relevant.

Johan moved this task from Do now to Archive on the User-Johan board.Jan 10 2018, 4:31 PM