Page MenuHomePhabricator

Security checkup/reminder for verifying email and authentication details
Open, NormalPublic

Description

(the below idea is based on an idea raised on hewiki WP:VP)
Many websites have regular security checkups - reminding users to verify their preferences, e.g something as "is your password strong enough? if you loose your password, would you be able to recover it? did you verify your email? is your email still valid? Would you like to enable 2 factors authentication?"

This is especially important for the following scenarios:

  • new users getting registered and forgetting to fill/verify their email. Shortly afterwards, they forget their password and need to create new account. If they decided to not fill email, they should be aware that it isn't possible to recover the password (so they should either fill it or backup their password)
  • users setting easy password on first signup (the potential damage of the password being lost/stolen is small), and as they get more trusted and more user rights they are not aware to the importance of replacing to strong password

I suggest to have such reminder in the following milestones:

  • Shortly after user get registered (1 edit? 10th edit? 4 days on auto promote to auto-confirmed?)
  • Whenever a user-right change (getting more rights => more potential damage)

Event Timeline

eranroz created this task.Jan 4 2018, 7:19 PM
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptJan 4 2018, 7:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Is the Security team interested in working on this? @Reedy @Bawolff (sorry for the individual pings, I couldn't find a tag for the security team itself).

Restricted Application added a project: Growth-Team. · View Herald TranscriptAug 28 2018, 12:59 PM
chasemp triaged this task as Normal priority.Sep 4 2018, 4:04 PM
chasemp edited projects, added Security-team-backlog; removed Security-Team.
chasemp added a subscriber: chasemp.

Is the Security team interested in working on this? @Reedy @Bawolff (sorry for the individual pings, I couldn't find a tag for the security team itself).

poke @Reedy or @Bawolff