Community Tech/Password Reset Update

The password reset project aims to enhance privacy options for Wikimedia users. For this project, we’ll be updating how password reset requests are generated. Under this new system, users can optionally select a new checkbox in Preferences. If they check this box, both their username and email address will be required for identity verification on Special:PasswordReset. If their identity is verified, a password reset email will be sent to the user. Otherwise, no email will be sent.

This page documents a project the Wikimedia Foundation's Community Tech team has worked on or declined in the past. Technical work on this project is complete.

We invite you to join the discussion on the talk page.

Shortcut:
PRU

This project was the #3 request from the 2019 Community Wishlist Survey. The reasoning behind this request is that, for some users, the current password reset system is undesirable — and it can sometimes enable harassment or confusion. Under the current system, users need to only provide one form of identification (username or email address). Thus, any user can request a password reset for any registered account.

To do this work, we’ll be communicating with many teams, including Community Engagement and Security. We look forward to community feedback on the Talk page.

How the Current System Works

edit

Under the current system, users can request password resets on the Special:PasswordReset page. This page is most commonly accessed by users when they’re not logged in, which is done by clicking on “Forgot your password?” via the Login page. However, logged in users can still access this page directly via URL. The Special:PasswordReset page looks as follows (see screenshot below):

 
Example of Password Reset page on English Wikipedia

On this page, users are prompted to verify their identity by providing their username or email address. Then, they click “Reset password.” If the user provides a valid username or email address, the system sends an email to the user account specified on Special:PasswordReset. This email informs the user that someone requested a reset of their password, and it identifies the requester via IP address or username. The user is provided with a temporary password, which expires in 7 days. If they no longer want to reset their password, they can ignore the email. However, if someone requests a password reset for an account without an associated email address, no email will be sent.

 
Example of password reset email, as sent from English Wikipedia

When users request a password reset on Special:PasswordReset, the notifications will vary, depending on whether they input a valid or invalid username. If they input a valid username, they will see the following text after generating the request: “If there is an email address associated with this username, then a password reset email will be sent.”

 
Message displayed after requesting a password reset for a valid username (English Wikipedia)

However, if they input an invalid username, they will be notified and unable to generate the request.

 
Message displayed after requesting a password reset for a invalid username (English Wikipedia)

The behavior is a bit different for email addresses. Under the current system, users will remain unaware if they have entered a valid or invalid email address. The behavior will be the same for both cases. They will receive the following message: “If this email address is associated with your account, then a password reset email is sent.”

 
Message displayed after requesting a password reset with an email address (English Wikipedia)

However, if someone requests a password reset for an account with no associated email address, the user will be informed. They will be unable to generate the password reset request.

 
Message displayed after requesting a password reset for account with no email address (English Wikipedia)

There are certain restrictions regarding multiple password reset requests, but they are limited in scope. Users can't repeatedly request password resets (without first resetting their password) in a 24 hour timeframe, per wiki. In other words, users are able to request a password reset, receive the password reset email, reset their password, and then immediately request a new password reset. However, if they don't first reset their password, they will be blocked from requesting another password reset within a 24 hour timeframe, per wiki (as seen in the screenshot below). Yet, users can circumvent this restriction. By simply requesting password resets on different wikis (such as Wikipedia, Wikimedia Commons, etc), users can generate multiple requests for the same account (without first resetting the password) within 24 hours.

 
Notification when a user tries to request a password reset repeatedly within 24 hours (English Wikipedia)

In summary, anyone can request a password reset for any registered user. They do not need to be logged in to make this request, and they do not need to have any association with the user. Users can repeatedly generate requests for the same account (without access to the user's email) every 24 hours per wiki, or they can generate requests multiple times within 24 hours on different wikis. Each request triggers a separate email.

How the Current System is Misused

edit

The current system is sometimes misused, both intentionally and unintentionally.

First, let’s discuss unintentional misuse. In this case, someone may have forgotten their username, but they think they remember it. For this reason, they choose to identify themselves via username rather than email address. The user types in an incorrect username, which may be similar to their username or generic in nature. If they type in a valid username (that is not theirs), they generate a password reset email for another user. Later, they may realize that they didn’t receive the password reset email, and they may repeatedly try to reset their password with the same username. This would trigger even more emails to the wrong user.

Second, some people may intentionally misuse the system. In this case, one user (User A) may want to harass another user (User B). To do this, they can access Special:PasswordReset, input the username for B, and then click “Reset password.” They can do this repeatedly, which can be distressing for User B. Furthermore, User A can disguise their identity by not logging into the account, and they can even change IP addresses (through changing location, using a VPN, etc), which would make it very difficult for User B to even identify User A.

Requesting Feedback

edit

We want to hear from you! Do you agree with our analysis of the current system? Is there anything critical that we mischaracterized or failed to include? How do you envision that we change the current system, based on this new preference? What risks should we consider? Let us know on the Talk page. Thank you!

Project Updates

edit

May 11, 2020

edit

We’re excited to announce that the Enhanced Password Reset feature is now enabled on all wikis. This means that, in the “Email options” section, you can check a box that says “Send password reset emails only when both email address and username are provided.” If the box is checked, you can reduce harassment through unsolicited password reset emails. This can be set as a local or global preference. For more information, you can visit the Help:Password Reset page.

In the course of this project, we have implemented the Enhanced Password Reset feature, in addition to general security improvements. For this reason, we’re marking this project as complete. We hope that this tool enhances privacy and user experience on all wikis. Thank you to everyone who voted on the wish, shared feedback, and collaborated with the team!

February 26, 2020

edit

We have released the feature, which is called Enhanced Password Reset (EPR), on Wikivoyage and Wiktionary, and we would love your feedback! Please note that we will be releasing EPR to all other wikis soon. Our plan is to do an incremental rollout, rather than releasing all at once.

To enable the feature, go to the “Email options” section in “Preferences.” You can click on the checkbox that states, “Send password reset emails only when both email address and username are provided.” Once you click the checkbox and save, the preference is enabled. Once you enable this preference, users will not be informed that both the username and email addresses are required on Special:PasswordReset (for security reasons). For this reason, you must remember to enter both your username and email address on Special:PasswordReset.

Please note that Password Reset Update is not a global preference by default. It is enabled per wiki. However, you can make it global in your global preferences.

September 10, 2019

edit

We have conducted an investigation to gain a better understanding (from a technical, security, and UX perspective) of the various elements of this project. We encourage everyone to check out the findings. Also, thank you to everyone who posed questions on the Talk page. Many of the community questions were covered in our investigation, and they helped guide our research.

We also have an exciting update: We have begun foundational development work for the project. This work was not related to the investigation, since it covered the most basic requirement of the project (i.e. add a preference that controls whether both username and email address are required for password reset). However, as we begin to approach more specified and targeted elements of the project, we'll share further updates. Thank you!