Page MenuHomePhabricator

Reword notification of failed logins to avoid unnecessary password changes
Open, Needs TriagePublic

Description

So the message says: "There has been *a failed attempt* to log in to your account from a new device. Please make sure your account has a strong password.

Change password"

Now I've seen a lot of people during this last bruteforce run interpret this message as:

  • My password was guessed
  • OR my password has been judged too weak
  • THUS I MUST change it.

People interpret it is an imperative mood: instructive instead of advisory. People who said "I already had a randomly generated password but I created a new even longer randomly generated password"

This seems especially caused by the action connected to it: "Change password" that seems to be the key. Better would be if it could be something like "Test password strength" (if we actually had that option) etc etc.

Ideas for improving the wording welcomed.

Event Timeline

TheDJ created this task.May 10 2018, 11:20 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 10 2018, 11:20 AM
Reedy added a subscriber: Reedy.May 10 2018, 11:52 AM

I think all of the messages could probably do with some improvements to some extent

	"notification-header-login-success": "Someone (probably {{GENDER:$1|you}}) recently logged in to your account from a new device. If this was you, then you can disregard this message. If it wasn't you, then it's recommended that you change your password, and check your account activity.",
	"notification-new-bundled-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''$1 failed attempts'''}} to log in to your account from a new device since the last time you logged in. If it wasn't you, please make sure your account has a strong password.",
	"notification-known-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''$1 failed attempts'''}} to log in to your account since the last time you logged in. If it wasn't you, please make sure your account has a strong password.",
	"notification-new-unbundled-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''multiple failed attempts'''}} to log in to your account from a new device. Please make sure your account has a strong password."
}

We use the term "strong password" but we don't define any rules for this... As TheDJ says, it'd be nice (though, IIRC we've tried to implement one before) to have a "password strength" indicator

Certainly including best practices (numerous characters, numbers, symbols...)... And a suggestion that maybe it's time to change your password if you haven't done so in a long time

Bawolff added a subscriber: Bawolff.

I agree, we certainly saw a lot of people unnecessarily panicking.

It was interesting to see the amount of people independently reporting this after just getting one email too...

It was interesting to see the amount of people independently reporting this after just getting one email too...

tbf, I think we were sending 800 emails/hour. Its only a small percentage who told us.

Tgr added a subscriber: Tgr.May 10 2018, 3:50 PM
  • notification-header-login-success could probably use a way to report it (if someone is successfully breaking into accounts, we'd want to learn about that sooner rather than later)
  • seemingly out of sheer spite, notification-new-unbundled-header-login-fail does not tell you the number of failed attempts, which make it hard to assess whether this was someone misremembering their username or a real attack.
  • Instead of If it wasn't you, please make sure your account has a strong password., how about If you use a strong unique password, you can safely disregard this message; otherwise you should change it.? (Would be nice to drop in a link to some tutorial, too. Would be extra nice to mention 2FA but for that it'd have to check whether it's installed and the user can enable it.)
Tgr added a comment.May 10 2018, 3:51 PM
  • seemingly out of sheer spite, notification-new-unbundled-header-login-fail does not tell you the number of failed attempts, which make it hard to assess whether this was someone misremembering their username or a real attack.

Seems like it can only access the number of bundled events, not the count parameter of each? If so, I'd be inclined to call that a bug in Echo.

  • seemingly out of sheer spite, notification-new-unbundled-header-login-fail does not tell you the number of failed attempts, which make it hard to assess whether this was someone misremembering their username or a real attack.

A bit more good faith would be appreciated. :)
As you worked out, it was indeed tricky to get that information readily out of Echo so we resorted to showing 'multiple'. I personally think it might make people panic more if they saw the counter. If I recall correctly, in a one-off incident when LoginNotify was first launched there were 100+ attempts made overnight to login to a single user account.
I'm all for rewording the notifications. Something that came up in a team meeting recently was that people didn't realize that clicking the notification would lead to a help page. To mitigate that, we could add a link to the help page in the notification and link to the change password page from the help page instead of the notification.

Sorry, that was my (poor) attempt to be funny. I do think it is unhelpful though - if "multiple" means 2, someone probably forgot their user name and tried to log in as me a few times. If it means 100, someone is trying to break into my account. It's a very relevant difference.
Filed as T194484: Bundled Echo notifications should be able to aggregate the parameters of the individual notifications.

The change password page is a very bad place to link IMO. It does not have any documentation (on when to change it, or how to choose a good password), and it seems to suggest that the user should change their password, even thought users with a decently strong password or 2FA have nothing to worry about.

Btw, Email notifications display the number of failed attempts:

Vvjjkkii renamed this task from Reword notification of failed logins to avoid unnecessary password changes to q7caaaaaaa.Jul 1 2018, 1:11 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from q7caaaaaaa to Reword notification of failed logins to avoid unnecessary password changes.Jul 2 2018, 4:20 PM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot added a subscriber: Aklapper.
Restricted Application added a project: Community-Tech. · View Herald TranscriptJul 20 2018, 8:22 PM
Cirdan moved this task from Epics in progress to Backlog on the Security-Team board.
Cirdan added a subscriber: Cirdan.

Sorry, trackpad issues...

Change 450472 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/LoginNotify@master] Use accurate count when budling multiple login failure warnings

https://gerrit.wikimedia.org/r/450472

Change 450472 merged by jenkins-bot:
[mediawiki/extensions/LoginNotify@master] Use accurate count when budling multiple login failure warnings

https://gerrit.wikimedia.org/r/450472