This document offers guidance when a Wikimedia user loses access to their account and can't login.
Wikimedia account password reset
A user can't login if two conditions are met:
- they have a blank or incorrect email address;
- they have forgotten their password.
In such case, there is a need to avoid social engineering: it's necessary to ensure that the user making the request has a legitimate claim to the user account in question. A good point to check is if the requester e-mail address can legitimately linked with user.
Ensure the request is legitimate
Make sure the request is legit. This part is covered at Password reset/Confirming identities.
Especially, someone from Trust & Safety (for example James Alexander) should be notified of the password reset. It might also be a good idea to pass things to them if there is no sufficient elements to confirm the identity.
Technical procedure to follow
- On a maintenance host (such as mwmaint1002), run
mwscript resetUserEmail.php --wiki=<user's home wiki> <username> <new email>
- In your browser, go to Special:PasswordReset on the user's main wiki.
- Type in the user's name, left the e-mail address blank and click "Reset password".
- Ask requester to check their inbox to ensure that the password reset email was received.
- Home wiki shouldn't matter much
- MediaWiki usernames could contain UTF-8 characters. If you've some difficulties to use them on the terminal, you can use instead the user id prefixed with #.
|Old instructions in case something goes wrong|
|The following content has been placed in a collapsed box for improved usability.|
On CentralAuth wikis, the eval.php script has the effect of updating the globaluser table (gu_email and gu_email_authenticated) and then clearing the relevant memcached key.
|The above content has been placed in a collapsed box for improved usability.|
Wikimedia or wikitech two factor authentication removal
Be careful! This is process is highly vulnerable to social-engineering attacks. Don't reset things just because a user asked you on IRC or via email. Before resetting someone's login, be sure to confirm their identity:
- If you recognize them, have a face-to-face or in a video chat.
- If someone on WMF staff recognizes them, have a three-way video chat where a staffmember vouches.
- Have the user write a request to disable 2fa in their home directory on a CloudVPS/Toolforge bastion.
A maintenance script works both for wikitech 2FA and SUL 2FA:
For wikitech 2FA, run the following on a wikitech host (labweb1001 or labweb1002):
mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=labswiki <username>
For SUL (Wikipedia etc.) 2FA, determine a wiki on which the user exists locally (i.e. has contributions), and then run the script on mwmaint1002 using that wiki:
mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=<wiki> <username>
The user can then log in using just their password and re-add two factor authentication.
Phabricator two factor authentication removal
- Requesting a 2FA reset for a Phabricator account: mw:Phabricator/Help/Two-factor Authentication Resets
- Performing a reset as a Phabricator admin with shell access: Phabricator#Removing_Two_Factor_Authentication