hauser wrote:

Suggestions

1. "rename the button" from "E-mail password" to "E-mail new random password" or alike to prevent users from thinking that the password sent is their real one...
2. this change mechanism lets anybody hijack an account if they can intercept plaintext eMail, so a) suggest to contact administrator *adminName* b) allow to upload gpg-pub-key/x509 certificate before you forgot your password and have the temp password sent with that encrypted key

1. is a good idea. 2b) is quite cool, although if the user had a certificate, you could directly allow login into the account using that certificate.

I'm not sure what do you mean with 2a.

Luciana, you can change MediaWiki:passwordremindertext removing $3 (the new password) from the message. They could still receive a "password email" saying "A new password fpr $2 has been requested from ip $1, but password reminders are disabled for this wiki".
You should also change messages like MediaWiki:passwordsent accordingly, to not say you have sent a password you haven't in fact sent.

hauser wrote:

with 2a) I mean that one could perhaps provide a phone number/eMail address of the super-user who may assist you in chaning your password if you forgot.

Sure, this is not scalable, but wiki's are often used in smaller settings where this is feasible and a lot securer than sending a temp pw

moreira wrote:

Platonides, thank you very much for your reply. I already corrected the texts in our server.

Nevertheless, I noticed that these pages are editable by anyone that has an account that is able to edit pages (in our case sysop).

For sure this is a great security improvement as only a smaller group of users can change our configuration. But ideally this page would only be editable by Bureaucrats just like the Special:Userrights

I know that per page access restriction is not the idea behind wikis, but is it possible to restrict the access to this page nonetheless?

hauser wrote:

re comment 4: ... and at least history cannot as easily be altered on who edited that page - thus at least one could find out whose account was broken in first ;)

BTW is there a log in which one could see

3. which logins used the temp password to login when?
4. from which remote-ip/user-agent that temp password request was issued

... just some forensics ...

Nevertheless, I noticed that these pages are editable by anyone that has an
account that is able to edit pages (in our case sysop).

No. Pages in the MediaWiki namespace are protected, so only users with the
editinterface right can edit it. sysop has that right by default, that's why
you were able to edit it.

For sure this is a great security improvement as only a smaller group of users
can change our configuration. But ideally this page would only be editable by
Bureaucrats just like the Special:Userrights

Add to localsettings.php
$wgGroupPermissions['sysop']['editinterface'] = false;
$wgGroupPermissions['bureaucrat']['editinterface'] = true;

moreira wrote:

Hi Platonides,

Once again thank you for your reply. I have configured our wiki accordingly and it is working as expected :)

My suggestion is to maybe put some pointers to this solution in the wiki manual where I first looked for the configuration: [http://www.mediawiki.org/wiki/Manual:Configuration_settings Manual:Configuration_settings] . This will probably prevent people from asking the same question to you in the future.

In addition I believe the ideas from Ralf would make nice enhancements.

Best regards,
Luciana

Clarifying summary.

I've also been asked about the possibility of a per-user preference for users who think they can manage their own passwords.

happy.melon.wiki wrote:

Fixed in r86482.