Page MenuHomePhabricator
Create Task
Maniphest T356409

Make it clear what password is being reset
Closed, ResolvedPublic
Actions

Description

As reported by @RoySmith, it's unclear on https://idm.wikimedia.org/wikimedia/password/ as to what password is actually being changed.

A user shouldn't need to know the intricacies of our systems, to know that changing a password for MyUsername here isn't going to change the password on other WMF wikis with the same username

Details

SubjectRepoBranchLines +/-
Make it clear what password is being resetoperations/software/bitumaster+7 -1
Customize query in gerrit

Related Objects

Event Timeline

Reedy created this task.Feb 1 2024, 2:26 PM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptFeb 1 2024, 2:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Reedy mentioned this in T356411: Make it clear which 2FA to use.Feb 1 2024, 2:31 PM
RoySmith added a comment.Feb 1 2024, 3:11 PM

Just to add some additional flavor here, this all started when I set up my account on the ombuds wiki. Lastpass saw a new password being set and updated its entry, but since wikitech and ombuds are both in the wikimedia domain, it got confused and updated the wrong entry. This was further confused by idp also being in the wikimedia.domain. I realize some of the blame can be placed on lastpass, but not all of it, so the WMF side should do as much as it can to make it clear what is happening.

SLyngshede-WMF changed the task status from Open to In Progress.Feb 5 2024, 3:41 PM
SLyngshede-WMF claimed this task.
SLyngshede-WMF triaged this task as Medium priority.
gerritbot added a comment.Feb 5 2024, 4:02 PM

Change 997484 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/bitu@master] Make it clear what password is being reset

https://gerrit.wikimedia.org/r/997484

gerritbot added a project: Patch-For-Review.Feb 5 2024, 4:02 PM
SLyngshede-WMF added a comment.Feb 5 2024, 4:06 PM

I'm not aware of any way to giving password managers hints as to which entries they should update, and which they shouldn't. I'm happy to implement something that will help Lastpass do the right thing, but I can find any suggestions in their documentation.

It is possible to add rules to Lastpass to ensure that wrong sub-domains aren't updated and to let Lastpass know that some domains/sub-domains are equivalent. Sadly it doesn't seem to be possible to push that information... which makes sense for security.

gerritbot added a comment.Feb 6 2024, 9:30 AM

Change 997484 merged by Slyngshede:

[operations/software/bitu@master] Make it clear what password is being reset

https://gerrit.wikimedia.org/r/997484

SLyngshede-WMF moved this task from Backlog to Pending Release on the Bitu board.Mar 26 2024, 11:25 AM
Maintenance_bot removed a project: Patch-For-Review.Mar 26 2024, 11:30 AM
SLyngshede-WMF closed this task as Resolved.Thu, Apr 11, 10:42 AM
SLyngshede-WMF moved this task from Pending Release to Resolved on the Bitu board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL