Jump to content

Password and 2FA reset

From Wikitech

This document offers guidance when a Wikimedia user loses access to their account and can't login.

Wikimedia account password reset

A user can't login if two conditions are met:

  • they have a blank or incorrect email address;
  • they have forgotten their password.

In such a case, there is a need to avoid social engineering: it's necessary to ensure that the user making the request has a legitimate claim to the user account in question. A good point to check is if the requester's e-mail address can be legitimately linked with the user.

For developer account users

Before requesting a password reset from an administrator, try to self-reset the password. If that doesn't work for you user and:

  • you need your password to be reset, or
  • you need your two-factor authentication to be disabled

You need to open a new phabricator task adding cloud-services-team and Trust-and-Safety as Tags.

Be prepared to answer questions to validate your identity. Often the easiest verification method is to show that you still have control of the ssh private key associated with your Developer account. This can be done by creating a text file as your Developer account on a Cloud VPS or Toolforge bastion server which references the Phabricator task you created:

$ ssh bastion.wmcloud.org  # or `ssh login.toolforge.org`
$ cd $HOME
$ install -m0600 /dev/null 2fa-reset-request.txt
$ echo "https://phabricator.wikimedia.org/[YOUR PHABRICATOR TASK NUMBER]" > 2fa-reset-request.txt
$ echo "$(hostname -f):$(pwd)/2fa-reset-request.txt"

Then make a comment on the Phabricator task including the output of the last command so that the person who helps you can find the verification file easily.

For admins

Ensure the request is legitimate

Make sure the request is legit. This part is covered at Password reset/Confirming identities.

Especially, someone from Trust & Safety should be notified of the password reset. It might also be a good idea to pass things to them if there are not enough elements to confirm the identity.

Technical procedure to follow

  • On a maintenance server, run mwscript resetUserEmail.php --wiki=<user's home wiki> <username> <new email>
  • In your browser, go to Special:PasswordReset on the user's main wiki.
  • Type in the user's name, leave the e-mail address blank and click "Reset password".
  • Ask the requester to check their inbox to ensure that the password reset email was received.

Notes:

  • The home wiki shouldn't matter much.
  • MediaWiki usernames can contain UTF-8 characters. If you have difficulty using them on the terminal, you can instead use the user id prefixed with #.

Two-factor authentication removal

Before following these steps, if the user has an existing device available that has worked with 2FA in the past but has suddenly ceased working, ensure the user's 2FA device has an accurate clock. The clue is in the name of the 2FA method we use - Time-based One-time Password Algorithm - if the clock on the device is too far off, it will generate the wrong codes. Even a two minute difference can cause this.

Wikimedia two factor authentication removal

Be careful! This process is highly vulnerable to social-engineering attacks. Don't reset things just because a user asked you on IRC or via email. Before resetting someone's login, be sure to confirm their identity:

  • If you recognize them, have a face-to-face meeting or one in a video chat.
  • If someone on WMF staff recognizes them, have a three-way video chat where a staffmember vouches.

For SUL (Wikipedia etc.) 2FA, determine a wiki on which the user exists locally (i.e. has contributions), and then run the script on a maintenance server using that wiki:

mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=<wiki> <username>

Privileged user groups may also use Special:DisableOATHForUser to remove 2FA from any user account. Its use is logged at Special:Log/oath. This requires the oathauth-disable-for-user right. On Wikimedia Foundation production wikis members of the Staff and System administrator global groups, and WMF Trust and Safety local Meta-Wiki group have it.

The user can then log in using just their password and re-add two factor authentication.

Phabricator two factor authentication removal

Reset user password in LDAP

To reset a user password for a developer account, a root or member of admin group ldap-admins can:

  • install the slappasswd utility locally (it's inside the slapd package)
  • use slappasswd to hash a new password (SSHA password)
  • ssh to an ldap-maint server (ssh ldap-maint1001.eqiad.wmnet)
  • run sudo modify-ldap-user <username> (replace <username> with the actual user)
  • paste the SSHA password hash line and :wq
  • when logging in ensure the exact spelling is used, capitalization matters and not just the first letter either