Password reset

From Wikitech
Jump to: navigation, search

This document offers guidance when a Wikimedia user loses access to their account and can't login.

Wikimedia SUL account

A user can't login if two conditions are met:

  • they have a blank or incorrect email address;
  • they have forgotten their password.

In such case, there is a need to avoid social engineering: it's necessary to ensure that the user making the request has a legitimate claim to the user account in question. A good point to check is if the requester e-mail address can legitimately linked with user.

Ensure the request is legitimate

Make sure the request is legit. This part is covered at Password reset/Confirming identities.

Especially, someone from Trust & Safety (for example James Alexander) should be notified of the password reset. It might also be a good idea to pass things to them if there is no sufficient elements to confirm the identity.

Technical procedure to follow

  • On a deployment host (such as Terbium), run mwscript resetUserEmail.php --wiki=<user's home wiki> <username> <new email>
  • In your browser, go to Special:PasswordReset on the user's main wiki.
  • Type in the user's name, left the e-mail address blank and click "Reset password".
  • Ask requester to check their inbox to ensure that the password reset email was received.

Notes:

  • Home wiki shouldn't matter much
  • MediaWiki usernames could contain UTF-8 characters. If you've some difficulties to use them on the terminal, you can use instead the user id prefixed with #.

Reset two factor authentication

Be careful! This is process is highly vulnerable to social-engineering attacks. Don't reset things just because a user asked you on IRC or via email. Before resetting someone's login, be sure to confirm their identity:

  • If you recognize them, have a face-to-face or in a video chat.
  • If someone on WMF staff recognizes them, have a three-way video chat where a staffmember vouches.
  • Have the user write a request to disable 2fa in their home directory on a Labs or Tools bastion.

Post 1.30-wmf.9

A maintenance script works both for wikitech 2FA and SUL 2FA:

For wikitech 2FA, run the following on the wikitech host (silver):

mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=labswiki <username>

For SUL (Wikipedia etc.) 2FA, determine a wiki on which the user exists locally (i.e. has contributions), and then run the script on terbium using that wiki:

mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=<wiki> <username>


The user can then log in using just their password and re-add two factor authentication.