Page MenuHomePhabricator

password reset mail should have a "cancel this" link
Open, MediumPublic

Description

When someone gets a password reset email from us these days, it does not contain an "if you did not request this password reset, click here to cancel". This sort of language is becoming pretty standard; Facebook says

"Didn't request this change?
If you didn't request a new password, let us know immediately [LINK]."

Key to note: the "let us know immediately" doesn't actually have to *do* anything; it still reassures people just by existing. (I'm bringing this up because one of our outside counsels forwarded me an email and asked "what should I do?"; having a link like this would have reassured him.)

Marking this minor because the lack of this does cause some consternation for users, and isn't best practices, but isn't a security bug per se.


Version: unspecified
Severity: minor

Details

Reference
bz59736

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:23 AM
bzimport set Reference to bz59736.
Reedy added a comment.Jan 6 2014, 8:32 PM

Noting we already have this sort of thing on our email confirmation process.

(In reply to comment #0)

"Didn't request this change?
If you didn't request a new password, let us know immediately [LINK]."
Key to note: the "let us know immediately" doesn't actually have to *do*
anything; it still reassures people just by existing. (I'm bringing this up
because one of our outside counsels forwarded me an email and asked "what
should I do?"; having a link like this would have reassured him.)

Shouldn't it at least invalidate the temporary password sent? Seems a bit silly not to

This should be fairly easy to implement...

All sorts of things it could do (invalidate password, record the IP to see if we should block an IP temporarily from password resets, etc.) But I leave that up to the implementation :)

Reedy added a comment.Jan 6 2014, 8:38 PM

For reference if someone not so familiar with MediaWiki wants to take this on..

For email confirmation we use the message 'confirmemail_body', which has the text below.

'Someone, probably you, from IP address $1,
has registered an account "$2" with this email address on {{SITENAME}}.

To confirm that this account really does belong to you and activate
email features on {{SITENAME}}, open this link in your browser:

$3

If you did *not* register the account, follow this link
to cancel the email address confirmation:

$5

This confirmation code will expire at $4.',

Versus for password reset 'passwordremindertext' we have

'Someone (probably you, from IP address $1) requested a new
password for {{SITENAME}} ($4). A temporary password for user
"$2" has been created and was set to "$3". If this was your
intent, you will need to log in and choose a new password now.
Your temporary password will expire in {{PLURAL:$5|one day|$5 days}}.

If someone else made this request, or if you have remembered your password,
and you no longer wish to change it, you may ignore this message and
continue using your old password.',

swalling wrote:

(In reply to comment #0)

When someone gets a password reset email from us these days, it does not
contain an "if you did not request this password reset, click here to
cancel".
This sort of language is becoming pretty standard; Facebook says
"Didn't request this change?
If you didn't request a new password, let us know immediately [LINK]."
Key to note: the "let us know immediately" doesn't actually have to *do*
anything; it still reassures people just by existing. (I'm bringing this up
because one of our outside counsels forwarded me an email and asked "what
should I do?"; having a link like this would have reassured him.)

Actually I think it's not okay to mislead the user like that.

If we include a cancel link, it should either:

A) invalidate the temporary password sent
B) set a flag on the account or otherwise actually report the issue to someone who can help the user ensure their account is secure

We don't have a cancel link currently because, just like on the actual form, we don't actually require the user to take action to not reset their password. The password reset email doesn't actually reset your password, it just provides you the ability to do so if you want. If you don't want, you can ignore the email and keep using your old password.

If users are confused, I would suggest clarifying language that says what they should do if they don't want to reset their password. Is there something already in there along these lines?

Change 147496 had a related patch set uploaded by Rohan013:
Add "cancel this" link to password reset emails

https://gerrit.wikimedia.org/r/147496

Aklapper lowered the priority of this task from High to Medium.Jul 23 2015, 9:14 PM
Aklapper added a subscriber: Aklapper.

@rohan013: Do you plan to rework your patch for this task?

Tgr added a subscriber: Tgr.

Note that T110280 is going to make big changes in password management so anything not merged before will probably have to be rewritten from scratch.