Page MenuHomePhabricator
Create Task
Maniphest T194385

Reword notification of failed logins to avoid unnecessary password changes
Open, MediumPublic
Actions

Description

So the message says: "There has been *a failed attempt* to log in to your account from a new device. Please make sure your account has a strong password.

Change password"

Now I've seen a lot of people during this last bruteforce run interpret this message as:

  • My password was guessed
  • OR my password has been judged too weak
  • THUS I MUST change it.

People interpret it is an imperative mood: instructive instead of advisory. People who said "I already had a randomly generated password but I created a new even longer randomly generated password"

This seems especially caused by the action connected to it: "Change password" that seems to be the key. Better would be if it could be something like "Test password strength" (if we actually had that option) etc etc.

Ideas for improving the wording welcomed.

Details

SubjectRepoBranchLines +/-
Use accurate count when budling multiple login failure warningsmediawiki/extensions/LoginNotifymaster+6 -1
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
InvalidNoneT40638 [DO NOT USE] Interface messages needing rewording or documentation and other issues with existing messages [superseded by #Voice_&_Tone]
OpenNoneT194385 Reword notification of failed logins to avoid unnecessary password changes
· · ·

Event Timeline

TheDJ created this task.May 10 2018, 11:20 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 10 2018, 11:20 AM
Reedy subscribed.May 10 2018, 11:52 AM

I think all of the messages could probably do with some improvements to some extent

	"notification-header-login-success": "Someone (probably {{GENDER:$1|you}}) recently logged in to your account from a new device. If this was you, then you can disregard this message. If it wasn't you, then it's recommended that you change your password, and check your account activity.",
	"notification-new-bundled-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''$1 failed attempts'''}} to log in to your account from a new device since the last time you logged in. If it wasn't you, please make sure your account has a strong password.",
	"notification-known-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''$1 failed attempts'''}} to log in to your account since the last time you logged in. If it wasn't you, please make sure your account has a strong password.",
	"notification-new-unbundled-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''multiple failed attempts'''}} to log in to your account from a new device. Please make sure your account has a strong password."
}

We use the term "strong password" but we don't define any rules for this... As TheDJ says, it'd be nice (though, IIRC we've tried to implement one before) to have a "password strength" indicator

Certainly including best practices (numerous characters, numbers, symbols...)... And a suggestion that maybe it's time to change your password if you haven't done so in a long time

Bawolff added a project: Security-Team.May 10 2018, 12:44 PM
Bawolff subscribed.

I agree, we certainly saw a lot of people unnecessarily panicking.

Reedy added a comment.May 10 2018, 12:46 PM

It was interesting to see the amount of people independently reporting this after just getting one email too...

Bawolff added a comment.May 10 2018, 12:49 PM
In T194385#4197056, @Reedy wrote:

It was interesting to see the amount of people independently reporting this after just getting one email too...

tbf, I think we were sending 800 emails/hour. Its only a small percentage who told us.

Tgr subscribed.May 10 2018, 3:50 PM
  • notification-header-login-success could probably use a way to report it (if someone is successfully breaking into accounts, we'd want to learn about that sooner rather than later)
  • seemingly out of sheer spite, notification-new-unbundled-header-login-fail does not tell you the number of failed attempts, which make it hard to assess whether this was someone misremembering their username or a real attack.
  • Instead of If it wasn't you, please make sure your account has a strong password., how about If you use a strong unique password, you can safely disregard this message; otherwise you should change it.? (Would be nice to drop in a link to some tutorial, too. Would be extra nice to mention 2FA but for that it'd have to check whether it's installed and the user can enable it.)
Tgr added a comment.May 10 2018, 3:51 PM
In T194385#4197626, @Tgr wrote:
  • seemingly out of sheer spite, notification-new-unbundled-header-login-fail does not tell you the number of failed attempts, which make it hard to assess whether this was someone misremembering their username or a real attack.

Seems like it can only access the number of bundled events, not the count parameter of each? If so, I'd be inclined to call that a bug in Echo.

Niharika subscribed.May 10 2018, 7:38 PM
In T194385#4197626, @Tgr wrote:
  • seemingly out of sheer spite, notification-new-unbundled-header-login-fail does not tell you the number of failed attempts, which make it hard to assess whether this was someone misremembering their username or a real attack.

A bit more good faith would be appreciated. :)
As you worked out, it was indeed tricky to get that information readily out of Echo so we resorted to showing 'multiple'. I personally think it might make people panic more if they saw the counter. If I recall correctly, in a one-off incident when LoginNotify was first launched there were 100+ attempts made overnight to login to a single user account.
I'm all for rewording the notifications. Something that came up in a team meeting recently was that people didn't realize that clicking the notification would lead to a help page. To mitigate that, we could add a link to the help page in the notification and link to the change password page from the help page instead of the notification.

Aklapper added a project: Voice & Tone.May 10 2018, 8:19 PM
Aklapper added a parent task: T40638: [DO NOT USE] Interface messages needing rewording or documentation and other issues with existing messages [superseded by #Voice_&_Tone].
Tgr mentioned this in T194484: Bundled Echo notifications should be able to aggregate the parameters of the individual notifications.May 11 2018, 10:32 AM

Sorry, that was my (poor) attempt to be funny. I do think it is unhelpful though - if "multiple" means 2, someone probably forgot their user name and tried to log in as me a few times. If it means 100, someone is trying to break into my account. It's a very relevant difference.
Filed as T194484: Bundled Echo notifications should be able to aggregate the parameters of the individual notifications.

The change password page is a very bad place to link IMO. It does not have any documentation (on when to change it, or how to choose a good password), and it seems to suggest that the user should change their password, even thought users with a decently strong password or 2FA have nothing to worry about.

Etonkovidova subscribed.Jun 6 2018, 5:44 PM

Btw, Email notifications display the number of failed attempts:

Screen Shot 2018-06-06 at 10.22.55 AM.png (243×678 px, 30 KB)

Vvjjkkii renamed this task from Reword notification of failed logins to avoid unnecessary password changes to q7caaaaaaa.Jul 1 2018, 1:11 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from q7caaaaaaa to Reword notification of failed logins to avoid unnecessary password changes.Jul 2 2018, 4:20 PM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
CommunityTechBot added a subscriber: Aklapper.
Phabricator_maintenance added a project: Community-Tech.Jul 20 2018, 5:12 PM
Niharika removed a project: Community-Tech.Jul 20 2018, 8:22 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptJul 20 2018, 8:22 PM
Niharika removed a project: Community-Tech.Jul 20 2018, 8:22 PM
Cirdan moved this task from Incoming to Epics in progress on the Security-Team board.Aug 4 2018, 4:49 PM
Cirdan moved this task from Epics in progress to Incoming on the Security-Team board.
Cirdan subscribed.

Sorry, trackpad issues...

gerritbot subscribed.Aug 5 2018, 5:48 PM

Change 450472 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/LoginNotify@master] Use accurate count when budling multiple login failure warnings

https://gerrit.wikimedia.org/r/450472

gerritbot added a project: Patch-For-Review.Aug 5 2018, 5:48 PM
Tgr mentioned this in rELGN75db18b802c8: Use accurate count when budling multiple login failure warnings.Aug 5 2018, 5:52 PM
Tgr mentioned this in rELGN6e78487463a7: Use accurate count when budling multiple login failure warnings.
Tgr mentioned this in rELGN97bbd18bdea7: Use accurate count when budling multiple login failure warnings.Aug 5 2018, 6:51 PM
gerritbot added a comment.Aug 22 2018, 11:53 PM

Change 450472 merged by jenkins-bot:
[mediawiki/extensions/LoginNotify@master] Use accurate count when budling multiple login failure warnings

https://gerrit.wikimedia.org/r/450472

ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)).Aug 23 2018, 12:00 AM
Bawolff added a project: Security-team-backlog.Sep 4 2018, 4:36 PM
Bawolff removed a project: Security-Team.Sep 4 2018, 4:51 PM
Maintenance_bot removed a project: Patch-For-Review.May 22 2019, 2:51 PM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
chasemp triaged this task as Medium priority.Dec 23 2019, 5:19 PM
Reedy removed a project: Security-Team.Feb 2 2022, 7:52 PM
tstarling mentioned this in T358687: "New device" email sent if cookie has expired.Wed, Apr 3, 10:29 PM
fnegri subscribed.Thu, Apr 4, 9:20 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL