Page MenuHomePhabricator

PRU: Improve Security & Standardize Experience for Password Reset [medium]
Closed, ResolvedPublic

Description

As a product manager, I want to update the behavior associated with password reset requests, so that we can improve security and standardize the messaging associated with such requests.

Background: In the process of developing Password Reset Update, we have had a series of conversations about how to create a more secure and standardized experience for users. We've discussed how these changes can be implemented globally -- not just for PRU users, but for all users who have email addresses associated with their accounts. We came up with a proposal, which we shared with the Security team in T237755. The proposal has received general approval, so we can now continue with the work.

The overall vision for this work is to: a) provide less information on Special:PasswordReset that could be used by bad faith actors (such as informing them whether a username or email address is recognized in the system), b) provide a standardized message after the password reset request has been submitted (so that bad faith actors can't differentiate between account preferences), and c) provide help to good faith actors who may have accidentally typed in an incorrect username/email address or invalid characters.

Acceptance Criteria:

  • If any user submits any information on Special:PasswordReset (i.e., data for username or email address), they should be redirected to the message screen
    • This applies regardless of whether PRU is enabled, and regardless of whether the information entered is valid or invalid in the system
    • Exception #1: If the user submits a username with invalid characters, according to wiki rules, they should be prevented from completing the form.
    • Exception #2: If the user submits an email address with incomplete or invalid requirements (such as no "@" symbol), they should be prevented from completing the form.
  • The message that users see after generating a password reset request should be standardized so that it is always the same. The message should read: "If the information submitted is valid, a password reset email will be sent. If you haven’t received an email, we recommend that you visit the Password Reset Help page.”
  • The text "Password Reset Help page" should link to a new page (to be created) in MediaWiki.
  • If possible, display what user input in the previous screen (i.,e, username, email address, or both). For example:
You have a requested a password reset. 

If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the Password Reset Help page.

The details you submitted are:
* Username: MyUsername
* Email address: me@example.com
  • If the user submitted only a username or email address, the text should only display the entered information (i.e., it shouldn't have something like "Username: n/a," if no username was submitted).

Visual Examples:

Screenshot of Special:PasswordReset on English Wikipedia:


Current messaging behavior: If only username OR if username and email address information submitted

Current messaging behavior: If only email address information submitted

Example of browser check for invalid email address:

Details

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
ifried updated the task description. (Show Details)Nov 27 2019, 4:55 PM
ifried renamed this task from PRU: Remove Notifications on Special:PasswordReset to PRU: Remove Information about Request Validity on Special:PasswordReset.Nov 27 2019, 5:52 PM
ifried updated the task description. (Show Details)Nov 27 2019, 5:55 PM
ifried renamed this task from PRU: Remove Information about Request Validity on Special:PasswordReset to PRU: Complete Request if Any Information Submitted on Special:PasswordReset.Nov 27 2019, 11:30 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Nov 27 2019, 11:32 PM

@Prtksxna What do you recommend as the message we display for exceptions #1 and #2?

ifried renamed this task from PRU: Complete Request if Any Information Submitted on Special:PasswordReset to PRU: Complete Request if Any Information Submitted on Special:PasswordReset [medium].Nov 28 2019, 12:33 AM
ifried moved this task from To Be Estimated/Discussed to Estimated on the Community-Tech board.

@Prtksxna What do you recommend as the message we display for exceptions #1 and #2?

The browser will automatically prevent some invalid input, for example:

I think the system already has an error message that shows up, but I am not able to see it. Will update this ticket once I figure it out.

ifried renamed this task from PRU: Complete Request if Any Information Submitted on Special:PasswordReset [medium] to PRU: Improve Security & Standardize Experience for Password Reset [medium].Dec 3 2019, 8:43 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Dec 3 2019, 9:04 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Dec 3 2019, 9:06 PM
ifried added a comment.EditedDec 3 2019, 9:13 PM

Thanks, @Prtksxna. The browser message for incomplete email addresses makes sense. In that case, we probably just need a message for cases when users input usernames with invalid characters. How do you suggest we do this? Perhaps a basic message that states they have entered an invalid character & inclusion of the character, such as: "You have entered an invalid character (*)."

Why it's good to check for character validity: Good faith actors may accidentally type in an incorrect username. Since we'll no longer be informing them if a username is recognized in the system, a basic check of character validity would be helpful. Furthermore, the rules on character validity are publicly shared (for example, here are the rules for English Wikipedia), so such checks will not reveal private information.

ifried updated the task description. (Show Details)Dec 3 2019, 9:25 PM
Anomie added a subscriber: Anomie.Dec 3 2019, 9:27 PM

Note: We might already have a message about invalid characters in Usernames within the registration page? Worth checking if it's valid to reuse here.

ifried updated the task description. (Show Details)Dec 3 2019, 11:09 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Dec 3 2019, 11:12 PM

@Mooeypoo good idea. Here is what it looks like on the Create account page:

Without JSWith JS

I think the system already has an error message that shows up, but I am not able to see it. Will update this ticket once I figure it out.

Here is how it shows up (thanks @Tchanders for teaching me how to do this)

Samwilson claimed this task.Dec 9 2019, 4:43 AM
Samwilson added a subscriber: Samwilson.

The text "Password Reset Help page" should link to a new page (to be created) in MediaWiki.

What should this page be called? Help:Reset_password?

"You have requested a password reset email for: testy/test@gmail.com" (if both submitted)

I'm not sure the slash is the best way to display the username and password together, because it's a valid character for the local part of an email address (although pretty rare). How about making it more explicit, e.g. bullet points with only the relevant ones shown:

You have requested a password reset email for:
* Username: testy
* Email address: test@gmail.com
ifried added a comment.Dec 9 2019, 7:01 PM

@Prtksxna: Any recommendations for what the Help page should be called? And any recommendations for where the "You have requested a password reset email..." text should be placed on the page?

@Samwilson: I agree with about the language. I'll update the requirements now. Thanks!

ifried updated the task description. (Show Details)Dec 9 2019, 7:05 PM

And @Prtksxna, how do you think we should display the information on what the user submitted on Special:PasswordReset? Should there be bullet points, bolded text, etc? Thanks!

Change 556102 had a related patch set uploaded (by Samwilson; owner: Samwilson):
[mediawiki/core@master] Provide less information on Password Reset success page

https://gerrit.wikimedia.org/r/556102

What should this page be called? Help:Reset_password?

Sounds good to me 👍🏽

I'm not sure the slash is the best way to display the username and password together, because it's a valid character for the local part of an email address (although pretty rare). How about making it more explicit, e.g. bullet points with only the relevant ones shown:

Yeah, I agree the slash can be confusing. I am not so convinced with the bullet points though. Anything in bullet points takes up a lot of attention, and while we want the users to make sure that the information that they've entered is correct, I worry that if we have bullet points they wont read the second line.

I would prefer if we could fit the different combinations of info in a sentence form.

EmailUsernameBoth

Would this make it harder for translation though?

ifried added a comment.EditedDec 10 2019, 5:32 PM

In a meeting today, @Prtksxna and I discussed the following:

• The Help page should perhaps be Help:Password_Reset, since this mirrors Special:PasswordReset.
• The general idea of having the user info in one sentence rather than bulletpoints makes sense, but the current wireframes have awkward grammar that we may want to revise (so we can discuss it as a team).

aezell added a subscriber: aezell.Dec 10 2019, 6:43 PM

Would this make it harder for translation though?

I was thinking that sentence order in some languages, or RTL in others, or both might make this particularly awkward.

With that in mind, what if we swap the order?

You have a requested a password reset. 

If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the Password Reset Help page.

The details you submitted are:
* Username: MyUsername
* Email address: me@example.com

That way, we might have the emphasis on the second sentence as @Prtksxna highlights while also having a clear format for the user-submitted data.

With that in mind, what if we swap the order?

Yeah, you're right, I think swapping will definitely help. I worry though that bullet points always take more attention no matter where on the page they are. This is surely a better option though, especially if we can't figure out a way to phrase the information in sentence (and have it be i18n friendly).

ifried updated the task description. (Show Details)Dec 11 2019, 3:54 PM

@aezell and @Prtksxna This suggestion works for me. I have updated the requirements with the text, as written by Alex.

The Help page should perhaps be Help:Password_Reset, since this mirrors Special:PasswordReset.

That's true, but the passwordreset message that is the page title of Special:PasswordReset is 'Reset password', so that might be more visible to people than what's in the URL.

Whatever it's called, the page needs to exist before this ticket can proceed. @ifried do you have content for it?

@Samwilson Good point! I have just created the page, which is currently in draft mode. I don't have the content yet, but I plan to develop it next week. Sorry for the delay! Ultimately, I decided to go with "Help:Reset_password." Like you wrote, the button on the Special:PasswordReset page states "Reset password." Also, the language ("Reset password") is more commonly used than "Password reset." Thanks for pointing that out! Let me know if you need anything else.

Restricted Application edited projects, added Community-Tech; removed Community-Tech (Kanban-Q3-2019-20). · View Herald TranscriptJan 7 2020, 6:26 PM

The above patch is waiting for the help page to be more than a placeholder before it can be merged.

Update: A rough draft of the Help page has been written and is currently being reviewed. I plan to have it posted on MediaWiki early next week.

@Samwilson: The Help:Reset password page is now up on MediaWiki. Thanks!

Change 556102 merged by jenkins-bot:
[mediawiki/core@master] Standardize information on Password Reset success page

https://gerrit.wikimedia.org/r/556102

This is ready for QA. I've been trying to test it on the the beta wikis, but there seems to be some issue with logging out and maybe csrf tokens in general.

dom_walden added a subscriber: dom_walden.

I used a script to systematically cover every (valid) combination of username + email based on:

  • Is the username/email blank
  • Does the username/email exist on the system
  • Does the username/email have PRU enabled
  • Does the username have an email associated with it
  • Has the username/email hit their password reset request limit (more than one request in 24 hours)

I recorded the message I got from password reset.

I also checked that a password reset email was being sent when it should be.

Also repeated this with my IP throttled from making password reset requests (set in $wgRateLimits).

Acceptance Criteria:

  • If any user submits any information on Special:PasswordReset (i.e., data for username or email address), they should be redirected to the message screen
    • This applies regardless of whether PRU is enabled, and regardless of whether the information entered is valid or invalid in the system

This is true, with the exceptions already noted below and a few more (roughly in order of precedence/priority):

  1. If the user has PRU option checked in Special:Preferences and you enter only their username. Normal PRU message: "Both username and email address are required to receive a temporary password via email."
    • This does not happen if you enter both username and email, or just their email. In these cases, the new message (as specified in the description) appears.
  2. IP has been throttled from making password reset requests (i.e. the IP has already made 5 password reset requests). Message: "As an anti-abuse measure, you are limited from performing this action too many times in a short space of time, and you have exceeded this limit. Please try again in a few minutes. "
  3. User has already made a password reset request in the last 24 hours, and the info submitted complies with other rules (e.g. PRU). Message: "A password reset email has already been sent, within the last 24 hours. To prevent abuse, only one password reset email will be sent per 24 hours."
  4. Both input fields are empty. Message: "Neither a username nor an email address was supplied"
  • Exception #1: If the user submits a username with invalid characters, according to wiki rules, they should be prevented from completing the form.

Form is reloaded with the message "You have not specified a valid user name."

I am not sure exactly what the invalid characters are, but I entered strings like +=!£$%^*()_-~#;?}]{["''¬.

  • Exception #2: If the user submits an email address with incomplete or invalid requirements (such as no "@" symbol), they should be prevented from completing the form.

Browser validation (e.g. on Firefox you are shown "Please enter an email address", Chrome is as the last screenshot in description).

Does not appear to matter if JavaScript is enabled or disabled.

  • The message that users see after generating a password reset request should be standardized so that it is always the same. The message should read: "If the information submitted is valid, a password reset email will be sent. If you haven’t received an email, we recommend that you visit the Password Reset Help page.”

The text is as specified in the description, except that it states "...we recommend that you visit the reset password help page." instead of "...Password Reset Help page."

  • The text "Password Reset Help page" should link to a new page (to be created) in MediaWiki.

Link is to https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Reset_password

  • If possible, display what user input in the previous screen (i.,e, username, email address, or both). For example:

...

  • If the user submitted only a username or email address, the text should only display the entered information (i.e., it shouldn't have something like "Username: n/a," if no username was submitted).

This is true.

Version tested: my own local vagrant environment running MediaWiki 1.35.0-alpha (10b98b7)

Hello @dom_walden and @Samwilson

There seems to be some confusion (and apologies if there was any!). From what I read in the QA notes: If the user has PRU option checked in Special:Preferences and you enter only their username. Normal PRU message: "Both username and email address are required to receive a temporary password via email."

This is incorrect behavior, according to the acceptance criteria. As stated in the first bullet point: "If any user submits any information on Special:PasswordReset (i.e., data for username or email address), they should be redirected to the message screen." This means that there should be no message that blocks users from submitting information, whether or not it is considered valid or complete. Overall, it's important that we have a standardized experience, so that we provide more security to users via Special:PasswordReset.

For this reason, I'm moving this ticket back to 'In Development.' Thanks (and please reach out if you have questions)!

Anomie removed a subscriber: Anomie.Feb 14 2020, 10:04 PM

Just to clarify for engineering related thing, am I right to say that, basically, the message ("Both username and email address are required to receive a temporary password via email.") should never appear anywhere, @ifried ?

That is, we could (and should) get rid of passwordreset-username-email-required key and message entirely, and make sure it never appears in the UI?

Or am I missing something? (just verifying!)

Yes, @Mooeypoo, you are correct. We should remove the message (i.e., "Both username and email address are required to receive a temporary password via email") entirely. Thanks!

Change 572504 had a related patch set uploaded (by Samwilson; owner: Samwilson):
[mediawiki/core@master] Don't tell user when email is required but not supplied

https://gerrit.wikimedia.org/r/572504

Sorry, I missed that point! Done now (I think); patch ready for review.

dom_walden added a comment.EditedFeb 18 2020, 3:54 PM

Hello @dom_walden and @Samwilson
There seems to be some confusion (and apologies if there was any!). From what I read in the QA notes: If the user has PRU option checked in Special:Preferences and you enter only their username. Normal PRU message: "Both username and email address are required to receive a temporary password via email."

Ah, ok. I had assumed we would be ok revealing usernames via the password reset form, as this is something you can find out easily anyway.

But, as you point out, it does violate point 1 and 2 of the acceptance criteria. Apologies.

Change 572504 merged by jenkins-bot:
[mediawiki/core@master] Don't tell user when email is required but not supplied

https://gerrit.wikimedia.org/r/572504

dom_walden added a comment.EditedFeb 18 2020, 7:00 PM

Testing this on https://en.wikipedia.beta.wmflabs.org (version: MediaWiki 1.35.0-alpha (c664b4f) 17:32, 18 February 2020).

For an account with PRU enabled, regardless of whether I enter just the username, just the email or both, I see the new message screen (bullet point 2 in acceptance criteria). When entering both I successfully get a password reset email.

I assume that the train went out with the version before Sam's last patch, i.e. the version with the incorrect behaviour noted by Ilana in T238961#5885739.

I also did a search on all our codebase (using https://codesearch.wmflabs.org/search/) for the term passwordreset-username-email-required. I did not find it anywhere.

This is now on production, so I'm marking this work as Done.

ifried closed this task as Resolved.Feb 21 2020, 9:55 PM