Page MenuHomePhabricator
Create Task
Maniphest T421525

Should vanishing an account remove its password and other login credentials?
Open, Needs TriagePublic
Actions

Description

Should vanishing an account remove its password and other login credentials?

In T368524, it was apparently decided that vanishing an account should not remove its password. Despite that, code was added to remove the password when vanishing. This code did not work correctly for some time, and it was recently fixed in T418122. Currently password and other login credentials are being removed when vanishing.

Accounts with no password or other credentials are labelled as as "system users" in some places in the interface (e.g. Special:UserRights), which led to a lot of confusion, leading to task T420848. That labelling can be improved, but I'd like to have a decision on this first. The method used to remove credentials is also called newSystemUser, so this is confusing in the code as well.

If we don't remove passwords, we risk that they would be included in a future data breach, if we ever suffer one. Since we also remove vanished users' emails (I assume this is not controversial), we wouldn't even be able to notify these users about the data breach.

If we remove passwords, then vanishing can't be reversed by stewards (by just renaming and unlocking the account); sysadmin intervention is required to set a new password and/or email for the user before they can log in. I'm not sure how important this is, given that we claim that vanishing is permanent (ref1, ref2), but this has been raised (ref).

Passwords are considered personal information in our privacy policy (ref), and we suggest that personal information can be removed when vanishing (ref), but we never straight-up say that we do or don't remove passwords.

[A secondary question is: Should other login credentials be removed as well? (e.g. 2FA information, passkeys, and more obscure auth methods like owner-only OAuth clients). They are less likely to be considered PII than a password. On the other hand, it seems wrong to leave an account in a state where it can be used, but can't log in normally. Currently it seems that other login credentials are being removed as well (although I didn't review every auth method to ensure this).]

Desired outcome: I'd like to ask the PSI team to make this decision, ensure that stewards are on board with it, and document it on-wiki. If we decide that the passwords should be removed, we should also start another task to scrub them from accounts vanished before the change from T418122 was deployed.

Related Objects
Search...

Event Timeline

matmarex created this task.Mar 27 2026, 5:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 27 2026, 5:48 PM
matmarex mentioned this in T420848: AccountVanishing is marking endusers as system users.Mar 27 2026, 5:49 PM
matmarex added a parent task: T420848: AccountVanishing is marking endusers as system users.
matmarex mentioned this in T418122: CVE-2026-39937: Global vanishing does not remove the user email completely.Mar 27 2026, 5:53 PM
Johannnes89 subscribed.Mar 27 2026, 6:11 PM
A_smart_kitten subscribed.Mar 27 2026, 6:37 PM
Xaosflux subscribed.Mar 27 2026, 7:21 PM

Note we also semi-regularly get (and process) requests to "un-vanish" accounts just because a project wants the account to have the old name for their records (typically related to disruptive users) so the "system user" is also a bit of a problem there.

Regarding the stored authentication method, we don't actually store the "password" - so we don't have the "personal information" to purge there.

Bugreporter subscribed.Mar 28 2026, 2:11 AM

Repeat some points of mine raised in previous tasks:

  • We does not store password as is, but store hashed password. One may argue hashed password PII in GDPR.
  • The current way to define system user (Accounts with no password or other credentials) is bad - it should be redefined using a wiki-agnostic way such as a username pattern.
  • We should move the current "steal" logic to a new function like revokeAccess().
matmarex moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Mar 30 2026, 2:51 PM
matmarex edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.
neriah subscribed.Mar 30 2026, 8:18 PM
CptViraj subscribed.Mar 31 2026, 2:57 PM
Pppery removed a project: MediaWiki-General.Apr 6 2026, 3:27 AM
Novem_Linguae subscribed.Apr 6 2026, 10:44 AM
JJMC89 subscribed.Apr 7 2026, 10:55 PM

Why does this need to be rehashed again? Per previous discussion in a WMF-Steward meeting, vanishing should not remove the user's password (T368524 declined). Nothing has changed since the previous decision other than the implementation now (incorrectly per previous decision) deleting passwords.

neriah moved this task from Backlog to GlobalRename / Vanishing on the MediaWiki-extensions-CentralAuth board.Sun, May 17, 12:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits