Community Wishlist Survey 2017/Miscellaneous/Allow additional password recovery methods

Allow additional password recovery methods

  • Problem: Right now the only way to recover your password is via email, while it is not even necessary to save an email address with your user settings at all.
  • Who would benefit:
    • Occasional authors who forgot their password and did not supply an email address or whose email address has changed meanwhile.
    • The Volunteer Response Team that quite frequent gets inquiries for lost passwords and can often only respond with "you will have to create a new account".
  • Proposed solution:
    • Create a password hash that can be saved separate from the email address.
    • Create other recovery methods, e.g. by "secret questions".
  • More comments:
  • Phabricator tickets:

Discussion

edit

IMHO "secret questions" make everything more insecure, as finding the answer to "What's the birth name of your mother?" etc. is simple social engineering to break into someone else's account. "Password hashs": w:en:Template:Committed identity might be pretty close to that? Have you considered w:Multi-factor authentication? --AKlapper (WMF) (talk) 20:47, 8 November 2017 (UTC)[reply]

Two-factor authentification... Would a "normal user" (one of those who forget to update their email address in the settings) do that? --Reinhard Kraasch (talk) 21:48, 8 November 2017 (UTC)[reply]
Since the possible "secret questions" are often the same across many different sites, https://xkcd.com/792/ seems relevant too. Anomie (talk) 15:23, 9 November 2017 (UTC)[reply]
Two-factor makes account recovery harder, not easier. --Tgr (WMF) (talk) 04:52, 19 November 2017 (UTC)[reply]
I only read about it in its early days. It was confusing enough to make *everything* harder... I hope it improved. Gotta read about it again someday. - Nabla (talk) 23:32, 1 December 2017 (UTC)[reply]
  • Most of this is easily solvable by just more strongly encouraging people to register and verify their email address. Have you seen those websites where once a year they ask "is this still your email address?". Similar reminders and encouragements can be given. In my opinion not registering an email address should be an active opt-out, not a lazy default situation. —TheDJ (talkcontribs) 20:48, 9 November 2017 (UTC)[reply]
    • That's a good point, sending a reminder to said folks should be pretty easy. And yeah, we should encourage it more heavily on the registration page. Not an a hard failure, but at least a "HEY ARE YOU REALLY F'ING SURE? HAVING AN EMAIL IS A GOOD IDEA YO" would encourage people to not skip out. 😂 (talk) 00:27, 10 November 2017 (UTC)[reply]
    • Maybe specifically when an online email service provide is known to terminating or terminated their service, a reminder can be given to those people? C933103 (talk) 20:04, 11 November 2017 (UTC)[reply]
  • Maybe send a person who doesn't register their email every 3 months a central notice asking them to fill out their email address? ChristianKl (talk) 17:29, 11 November 2017 (UTC)[reply]

A password hash is basically a password, except it's impossible to remember. How would that help? If you care about your account being lost, set an email address and keep it up to date. If someone can't be trusted to do that, it's hard to imagine they would keep better track of their identity hash. +1 to nagging people with significant editcount to set/update their email address instead. (Also, maybe allow setting a secondary recovery email address?) --Tgr (WMF) (talk) 04:52, 19 November 2017 (UTC)[reply]

I'm not a fan of the proposed alternative recovery methods. Perhaps something like adding a phone number might make sense, although that's also not without its flaw in terms of people stealing other people's phone numbers. BWolff (WMF) (talk) 22:49, 28 November 2017 (UTC)[reply]

It is now well established that SMS is not secure enough for 2FA, but using it (or voice calls) for password recovery would be even more dangerous as not even the password would be required to break into an account. Admittedly, intercepting and redirecting messages or calls may be well beyond the abilities of a regular script-kiddie, but that's not the only group of possible attackers. This may in particular put people living in countries with oppressive regimes under especially high risk. Of course, entering a phone number may (and should) be optional, but still not everyone would be aware of the security implications, with many people happily assuming that nobody else should be able to read their text messages or hear their voice calls. Last but not least, by implementing something like this, we'll be going in the exact opposite direction of where everyone else is going nowadays (or should/will sooner or later be going, anyway).
— Luchesar • T/C 23:18, 28 November 2017 (UTC)[reply]
  • Better look into how proofs are done at Keybase. You can use multiple proofs to verify an identity, and if the proofs gives a sufficiently high trust, then revoke of credentials can be initiated. Please don't use SMS, but if you do, ask for an alternate return path. Note also that if an attacker asks for new credentials, then he already has a working attack vector for the special page at Wikipedia. — Jeblad 01:18, 11 December 2017 (UTC)[reply]

Voting

edit