Page MenuHomePhabricator
Create Task
Maniphest T359653

Set temporary account expiration at 90 days
Closed, ResolvedPublic
Actions

Description

Context

In T300271: [IP Masking] Temporary Account Expiration, we set the temporary account expiration value to 1 year.

This might be an unnecessarily long duration for most good faith editing patterns. Especially as T359405: Create temporary account early in edit cycle for all edit attempts, we don't want to make it easy for abusers to mass create temporary accounts that can then be reactivated (by storing the session cookies) later.

90 days corresponds to the retention period for CheckUser data, so setting expiry to 90 days ensures that we can always run CheckUser on active temporary accounts.

Decision

This task proposes to reduce the expiration value for temporary accounts from 1 year to 90 days.

A much shorter duration, like 7 days, might also be desirable, but we could wait until we have temporary accounts in production to evaluate what good faith usage patterns of temporary accounts looks like before deciding.

Consequences

  • Shorter timespan for users to make use of a temporary account

Details

SubjectRepoBranchLines +/-
[temp accounts] Set expiration to 90 daysmediawiki/coremaster+6 -6
Customize query in gerrit

Related Objects

Event Timeline

kostajh created this task.Mar 8 2024, 5:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 8 2024, 5:34 PM
Bugreporter subscribed.EditedMar 8 2024, 5:45 PM

Another idea is expire temporary account that is inactive for some shorter time (e.g. 7 days or 30 days). But we need some way to store how temporary account is recently used (maybe just store it in cache?)

kostajh mentioned this in T359789: Expire inactive temp accounts after 7 days.Mar 11 2024, 8:23 AM
In T359653#9615869, @Bugreporter wrote:

Another idea is expire temporary account that is inactive for some shorter time (e.g. 7 days or 30 days). But we need some way to store how temporary account is recently used (maybe just store it in cache?)

Thanks for this idea--I've filed it as T359789: Expire inactive temp accounts after 7 days, and we should add some more detail to it.

Pikne subscribed.Mar 11 2024, 1:30 PM

much shorter duration, like 7 days, might also be desirable

This would also mean that temporary accounts can be contacted via their talk page, or be mentioned on other talk pages for that short period, right? 7 days is a quite narrow timeframe to review temporary account's edits, and for temporary account user to also return and receive the feedback. For this reason it migh be better to keep a temporary account (inactive or not) for some longer period, maybe at least a month or so.

Also, I don't know how exactly the temporary accounts feature changes user blocks, but I assume too short duration also might make blocks less efficient than desired (at least concerning blocked users who don't know about session cookies).

Bugreporter added a comment.Mar 11 2024, 3:49 PM

but I assume too short duration also might make blocks less efficient than desired (at least concerning blocked users who don't know about session cookies).

For LTA, a potentially useful feature is to also block every IP used by the account (or even /24 range thereof) in one click. Normal block of temporary account can be bypassed by removing the cookie, and autoblock will expire after one day until T27305: Add a way to extend autoblock to longer than 1 day/T43479: [Spam/vandalism] Raise $wgAutoblockExpiry noticeably.

kostajh mentioned this in T357682: Investigate: Is AbuseFilter in accordance with the IP address reveal policy.Jun 11 2024, 11:32 AM
kostajh mentioned this in T332741: Determine if there is a need for IPs of temp users to be preserved for longer than 90 days.Jun 20 2024, 8:59 AM
Niharika subscribed.Jun 20 2024, 9:22 AM

Let's prioritize this task. We can reassess after testwiki deploy if we see evidence that we need to keep them for longer.

kostajh claimed this task.Jun 20 2024, 9:34 AM
gerritbot added a comment.Jun 20 2024, 9:46 AM

Change #1047930 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/core@master] [temp accounts] Set expiration to 90 days

https://gerrit.wikimedia.org/r/1047930

gerritbot added a project: Patch-For-Review.Jun 20 2024, 9:46 AM
gerritbot added a comment.Jun 20 2024, 12:13 PM

Change #1047930 merged by jenkins-bot:

[mediawiki/core@master] [temp accounts] Set expiration to 90 days

https://gerrit.wikimedia.org/r/1047930

Maintenance_bot removed a project: Patch-For-Review.Jun 20 2024, 12:30 PM
ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.11; 2024-06-25).Jun 20 2024, 1:00 PM
Tchanders closed this task as Resolved.Jun 21 2024, 10:33 AM
Tchanders added a project: Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)).
Tchanders moved this task from Priority Backlog to Done on the Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)) board.
kostajh updated the task description. (Show Details)Jun 24 2024, 11:21 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits