Page MenuHomePhabricator

PRU: Improve Security & Standardize Experience for Password Reset [medium]
Open, Needs TriagePublic

Description

As a product manager, I want to update the behavior associated with password reset requests, so that we can improve security and standardize the messaging associated with such requests.

Background: In the process of developing Password Reset Update, we have had a series of conversations about how to create a more secure and standardized experience for users. We've discussed how these changes can be implemented globally -- not just for PRU users, but for all users who have email addresses associated with their accounts. We came up with a proposal, which we shared with the Security team in T237755. The proposal has received general approval, so we can now continue with the work.

The overall vision for this work is to: a) provide less information on Special:PasswordReset that could be used by bad faith actors (such as informing them whether a username or email address is recognized in the system), b) provide a standardized message after the password reset request has been submitted (so that bad faith actors can't differentiate between account preferences), and c) provide help to good faith actors who may have accidentally typed in an incorrect username/email address or invalid characters.

Acceptance Criteria:

  • If any user submits any information on Special:PasswordReset (i.e., data for username or email address), they should be redirected to the message screen
    • This applies regardless of whether PRU is enabled, and regardless of whether the information entered is valid or invalid in the system
    • Exception #1: If the user submits a username with invalid characters, according to wiki rules, they should be prevented from completing the form.
    • Exception #2: If the user submits an email address with incomplete or invalid requirements (such as no "@" symbol), they should be prevented from completing the form.
  • The message that users see after generating a password reset request should be standardized so that it is always the same. The message should read: "If the information submitted is valid, a password reset email will be sent. If you haven’t received an email, we recommend that you visit the Password Reset Help page.”
  • The text "Password Reset Help page" should link to a new page (to be created) in MediaWiki.
  • If possible, display what user input in the previous screen (i.,e, username, email address, or both). For example:
You have a requested a password reset. 

If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the Password Reset Help page.

The details you submitted are:
* Username: MyUsername
* Email address: me@example.com
  • If the user submitted only a username or email address, the text should only display the entered information (i.e., it shouldn't have something like "Username: n/a," if no username was submitted).

Visual Examples:

Screenshot of Special:PasswordReset on English Wikipedia:


Current messaging behavior: If only username OR if username and email address information submitted

Current messaging behavior: If only email address information submitted

Example of browser check for invalid email address:

Details

Related Gerrit Patches:

Event Timeline

ifried created this task.Nov 22 2019, 10:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 22 2019, 10:47 PM
ifried updated the task description. (Show Details)Nov 27 2019, 3:37 PM
ifried renamed this task from Placeholder: Remove Notifications on Special:PasswordReset to PRU: Remove Notifications on Special:PasswordReset.Nov 27 2019, 3:40 PM
ifried added a project: Password-Reset-Update.
ifried updated the task description. (Show Details)Nov 27 2019, 3:53 PM
ifried updated the task description. (Show Details)Nov 27 2019, 4:49 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Nov 27 2019, 4:55 PM
ifried renamed this task from PRU: Remove Notifications on Special:PasswordReset to PRU: Remove Information about Request Validity on Special:PasswordReset.Nov 27 2019, 5:52 PM
ifried updated the task description. (Show Details)Nov 27 2019, 5:55 PM
ifried renamed this task from PRU: Remove Information about Request Validity on Special:PasswordReset to PRU: Complete Request if Any Information Submitted on Special:PasswordReset.Nov 27 2019, 11:30 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Nov 27 2019, 11:32 PM

@Prtksxna What do you recommend as the message we display for exceptions #1 and #2?

ifried renamed this task from PRU: Complete Request if Any Information Submitted on Special:PasswordReset to PRU: Complete Request if Any Information Submitted on Special:PasswordReset [medium].Nov 28 2019, 12:33 AM
ifried moved this task from To be estimated/discussed to Estimated on the Community-Tech board.

@Prtksxna What do you recommend as the message we display for exceptions #1 and #2?

The browser will automatically prevent some invalid input, for example:

I think the system already has an error message that shows up, but I am not able to see it. Will update this ticket once I figure it out.

ifried renamed this task from PRU: Complete Request if Any Information Submitted on Special:PasswordReset [medium] to PRU: Improve Security & Standardize Experience for Password Reset [medium].Dec 3 2019, 8:43 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Dec 3 2019, 9:04 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Dec 3 2019, 9:06 PM
ifried added a comment.EditedDec 3 2019, 9:13 PM

Thanks, @Prtksxna. The browser message for incomplete email addresses makes sense. In that case, we probably just need a message for cases when users input usernames with invalid characters. How do you suggest we do this? Perhaps a basic message that states they have entered an invalid character & inclusion of the character, such as: "You have entered an invalid character (*)."

Why it's good to check for character validity: Good faith actors may accidentally type in an incorrect username. Since we'll no longer be informing them if a username is recognized in the system, a basic check of character validity would be helpful. Furthermore, the rules on character validity are publicly shared (for example, here are the rules for English Wikipedia), so such checks will not reveal private information.

ifried updated the task description. (Show Details)Dec 3 2019, 9:25 PM
Anomie added a subscriber: Anomie.Dec 3 2019, 9:27 PM

Note: We might already have a message about invalid characters in Usernames within the registration page? Worth checking if it's valid to reuse here.

ifried updated the task description. (Show Details)Dec 3 2019, 11:09 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Dec 3 2019, 11:12 PM

@Mooeypoo good idea. Here is what it looks like on the Create account page:

Without JSWith JS

I think the system already has an error message that shows up, but I am not able to see it. Will update this ticket once I figure it out.

Here is how it shows up (thanks @Tchanders for teaching me how to do this)

Samwilson claimed this task.Dec 9 2019, 4:43 AM
Samwilson added a subscriber: Samwilson.

The text "Password Reset Help page" should link to a new page (to be created) in MediaWiki.

What should this page be called? Help:Reset_password?

"You have requested a password reset email for: testy/test@gmail.com" (if both submitted)

I'm not sure the slash is the best way to display the username and password together, because it's a valid character for the local part of an email address (although pretty rare). How about making it more explicit, e.g. bullet points with only the relevant ones shown:

You have requested a password reset email for:
* Username: testy
* Email address: test@gmail.com
ifried added a comment.Dec 9 2019, 7:01 PM

@Prtksxna: Any recommendations for what the Help page should be called? And any recommendations for where the "You have requested a password reset email..." text should be placed on the page?

@Samwilson: I agree with about the language. I'll update the requirements now. Thanks!

ifried updated the task description. (Show Details)Dec 9 2019, 7:05 PM

And @Prtksxna, how do you think we should display the information on what the user submitted on Special:PasswordReset? Should there be bullet points, bolded text, etc? Thanks!

Change 556102 had a related patch set uploaded (by Samwilson; owner: Samwilson):
[mediawiki/core@master] Provide less information on Password Reset success page

https://gerrit.wikimedia.org/r/556102

What should this page be called? Help:Reset_password?

Sounds good to me 👍🏽

I'm not sure the slash is the best way to display the username and password together, because it's a valid character for the local part of an email address (although pretty rare). How about making it more explicit, e.g. bullet points with only the relevant ones shown:

Yeah, I agree the slash can be confusing. I am not so convinced with the bullet points though. Anything in bullet points takes up a lot of attention, and while we want the users to make sure that the information that they've entered is correct, I worry that if we have bullet points they wont read the second line.

I would prefer if we could fit the different combinations of info in a sentence form.

EmailUsernameBoth

Would this make it harder for translation though?

ifried added a comment.EditedDec 10 2019, 5:32 PM

In a meeting today, @Prtksxna and I discussed the following:

• The Help page should perhaps be Help:Password_Reset, since this mirrors Special:PasswordReset.
• The general idea of having the user info in one sentence rather than bulletpoints makes sense, but the current wireframes have awkward grammar that we may want to revise (so we can discuss it as a team).

aezell added a subscriber: aezell.Dec 10 2019, 6:43 PM

Would this make it harder for translation though?

I was thinking that sentence order in some languages, or RTL in others, or both might make this particularly awkward.

With that in mind, what if we swap the order?

You have a requested a password reset. 

If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the Password Reset Help page.

The details you submitted are:
* Username: MyUsername
* Email address: me@example.com

That way, we might have the emphasis on the second sentence as @Prtksxna highlights while also having a clear format for the user-submitted data.

With that in mind, what if we swap the order?

Yeah, you're right, I think swapping will definitely help. I worry though that bullet points always take more attention no matter where on the page they are. This is surely a better option though, especially if we can't figure out a way to phrase the information in sentence (and have it be i18n friendly).

ifried updated the task description. (Show Details)Dec 11 2019, 3:54 PM

@aezell and @Prtksxna This suggestion works for me. I have updated the requirements with the text, as written by Alex.

The Help page should perhaps be Help:Password_Reset, since this mirrors Special:PasswordReset.

That's true, but the passwordreset message that is the page title of Special:PasswordReset is 'Reset password', so that might be more visible to people than what's in the URL.

Whatever it's called, the page needs to exist before this ticket can proceed. @ifried do you have content for it?

@Samwilson Good point! I have just created the page, which is currently in draft mode. I don't have the content yet, but I plan to develop it next week. Sorry for the delay! Ultimately, I decided to go with "Help:Reset_password." Like you wrote, the button on the Special:PasswordReset page states "Reset password." Also, the language ("Reset password") is more commonly used than "Password reset." Thanks for pointing that out! Let me know if you need anything else.

Restricted Application edited projects, added Community-Tech; removed Community-Tech (Kanban-Q3-2019-20). · View Herald TranscriptTue, Jan 7, 6:26 PM

The above patch is waiting for the help page to be more than a placeholder before it can be merged.

Update: A rough draft of the Help page has been written and is currently being reviewed. I plan to have it posted on MediaWiki early next week.