As a product manager, I want to update the behavior associated with password reset requests, so that we can improve security and standardize the messaging associated with such requests.
Background: In the process of developing Password Reset Update, we have had a series of conversations about how to create a more secure and standardized experience for users. We've discussed how these changes can be implemented globally -- not just for PRU users, but for all users who have email addresses associated with their accounts. We came up with a proposal, which we shared with the Security team in T237755. The proposal has received general approval, so we can now continue with the work.
The overall vision for this work is to: a) provide less information on Special:PasswordReset that could be used by bad faith actors (such as informing them whether a username or email address is recognized in the system), b) provide a standardized message after the password reset request has been submitted (so that bad faith actors can't differentiate between account preferences), and c) provide help to good faith actors who may have accidentally typed in an incorrect username/email address or invalid characters.
- If any user submits any information on Special:PasswordReset (i.e., data for username or email address), they should be redirected to the message screen
- This applies regardless of whether PRU is enabled, and regardless of whether the information entered is valid or invalid in the system
- Exception #1: If the user submits a username with invalid characters, according to wiki rules, they should be prevented from completing the form.
- Exception #2: If the user submits an email address with incomplete or invalid requirements (such as no "@" symbol), they should be prevented from completing the form.
- The message that users see after generating a password reset request should be standardized so that it is always the same. The message should read: "If the information submitted is valid, a password reset email will be sent. If you haven’t received an email, we recommend that you visit the Password Reset Help page.”
- The text "Password Reset Help page" should link to a new page (to be created) in MediaWiki.
- If possible, display what user input in the previous screen (i.,e, username, email address, or both). For example:
You have a requested a password reset. If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the Password Reset Help page. The details you submitted are: * Username: MyUsername * Email address: email@example.com
- If the user submitted only a username or email address, the text should only display the entered information (i.e., it shouldn't have something like "Username: n/a," if no username was submitted).
Screenshot of Special:PasswordReset on English Wikipedia:
Current messaging behavior: If only username OR if username and email address information submitted
Current messaging behavior: If only email address information submitted
Example of browser check for invalid email address: