Password reset

From Wikitech
Jump to navigation Jump to search

This document offers guidance when a Wikimedia user loses access to their account and can't login.

Wikimedia account password reset

A user can't login if two conditions are met:

  • they have a blank or incorrect email address;
  • they have forgotten their password.

In such case, there is a need to avoid social engineering: it's necessary to ensure that the user making the request has a legitimate claim to the user account in question. A good point to check is if the requester e-mail address can legitimately linked with user.

Ensure the request is legitimate

Make sure the request is legit. This part is covered at Password reset/Confirming identities.

Especially, someone from Trust & Safety (for example James Alexander) should be notified of the password reset. It might also be a good idea to pass things to them if there is no sufficient elements to confirm the identity.

Technical procedure to follow

  • On a maintenance host (such as mwmaint1002), run mwscript resetUserEmail.php --wiki=<user's home wiki> <username> <new email>
  • In your browser, go to Special:PasswordReset on the user's main wiki.
  • Type in the user's name, left the e-mail address blank and click "Reset password".
  • Ask requester to check their inbox to ensure that the password reset email was received.


  • Home wiki shouldn't matter much
  • MediaWiki usernames could contain UTF-8 characters. If you've some difficulties to use them on the terminal, you can use instead the user id prefixed with #.

Wikimedia or wikitech two factor authentication removal

Be careful! This is process is highly vulnerable to social-engineering attacks. Don't reset things just because a user asked you on IRC or via email. Before resetting someone's login, be sure to confirm their identity:

  • If you recognize them, have a face-to-face or in a video chat.
  • If someone on WMF staff recognizes them, have a three-way video chat where a staffmember vouches.
  • Have the user write a request to disable 2fa in their home directory on a CloudVPS/Toolforge bastion.

A maintenance script works both for wikitech 2FA and SUL 2FA:

For wikitech 2FA, run the following on a wikitech host (labweb1001 or labweb1002):

mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=labswiki <username>

For SUL (Wikipedia etc.) 2FA, determine a wiki on which the user exists locally (i.e. has contributions), and then run the script on mwmaint1002 using that wiki:

mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=<wiki> <username>

The user can then log in using just their password and re-add two factor authentication.

Phabricator two factor authentication removal