Page MenuHomePhabricator

In case of compromised wiki account, allow real user to override
Open, LowPublic

Description

In one of the social network site, Facebook, where account hijacking is common, user can provide email and one of the earlier password he/she ever had, and through several step, could get the hacked account back.

Now there's some users that have experience compromised account for their wiki activities. most create new account, because it's easy, but if the account already have a lot of contributions, the user might want to get it back. Is it possible to implement the same functionality (storing previous passwords in case of emergencies) in the user table?

Event Timeline

Bennylin created this task.Apr 12 2015, 1:41 AM
Bennylin raised the priority of this task from to Needs Triage.
Bennylin updated the task description. (Show Details)
Bennylin added a project: Security-General.
Bennylin added a subscriber: Bennylin.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 12 2015, 1:41 AM

It would seem that making it harder to get the account in the first place would be the priority, and there has been much discussion about two part authentication. Also giving people better means to provide stronger passwords, etc. We are lagging in this part of the internet world

That said having a means to return an account to the original person is useful.

Aklapper triaged this task as Low priority.Apr 13 2015, 9:21 AM

Storing previous passwords is sometimes done so that password policy can prevent a user from reusing the same password after a forced change, so the work could be useful beyond just account recovery.

In general though, if one attacker has compromised the password, it's really hard to claim that someone who happens to know the password is the real owner. But if stewards think it's a useful proof, then I'm not opposed to it.

Usually, the reset link would be sent to the (original) email address, thus it's hard to exploit the password, if you don't control the email also. But since email is optional in WMF projects, then this obviously would not work for someone that didn't provide emails.

Tgr added a subscriber: Tgr.Aug 27 2015, 7:07 AM

If you still own the email address, you can just use the password reset function to get the account back. (Of course if someone steals the password, changing the email is probably the first thing they do.) If not, we would need an audit trail of email addresses as well as passwords so that they can serve as proofs. That has some unpleasant privacy implications. Also this would mean that someone who obtains the user's password (e.g. by breaking the user's account at another site) will be able to steal the account with minimal social engineering even if the user notices and changes their password in time. So I think this is generally the wrong approach to the problem.