Password and 2FA reset
This document offers guidance when a Wikimedia user loses access to their account and can't login.
Wikimedia account password reset
A user can't login if two conditions are met:
- they have a blank or incorrect email address;
- they have forgotten their password.
In such a case, there is a need to avoid social engineering: it's necessary to ensure that the user making the request has a legitimate claim to the user account in question. A good point to check is if the requester's e-mail address can be legitimately linked with the user.
Before requesting a password reset from an administrator, try to self-reset the password. This can be done via Special:PasswordReset form. If that doesn't work for you and you are a Wikitech user and:
- you need your password to be reset, or
- you need your two-factor authentication to be disabled
You need to open a new phabricator task adding
Trust-and-Safety as Tags.
Be prepared to answer questions to validate your identity. Often the easiest verification method is to show that you still have control of the ssh private key associated with your Developer account. This can be done by creating a text file as your Developer account on a Cloud VPS or Toolforge bastion server which references the Phabricator task you created:
$ ssh bastion.wmcloud.org # or `ssh login.toolforge.org` $ cd $HOME $ touch 2fa-reset-request.txt $ chmod 0600 2fa-reset-request.txt $ echo "https://phabricator.wikimedia.org/[YOUR PHABRICATOR TASK NUMBER]" > 2fa-reset-request.txt $ echo "$(hostname -f):$(pwd)/2fa-reset-request.txt"
Then make a comment on the Phabricator task including the output of the last command so that the person who helps you can find the verification file easily.
Ensure the request is legitimate
Make sure the request is legit. This part is covered at Password reset/Confirming identities.
Especially, someone from Trust & Safety should be notified of the password reset. It might also be a good idea to pass things to them if there are not enough elements to confirm the identity.
Technical procedure to follow
- On a maintenance server, run
mwscript resetUserEmail.php --wiki=<user's home wiki> <username> <new email>
- In your browser, go to Special:PasswordReset on the user's main wiki.
- Type in the user's name, leave the e-mail address blank and click "Reset password".
- Ask the requester to check their inbox to ensure that the password reset email was received.
- The home wiki shouldn't matter much.
- MediaWiki usernames can contain UTF-8 characters. If you have difficulty using them on the terminal, you can instead use the user id prefixed with #.
|Old instructions in case something goes wrong|
|The following content has been placed in a collapsed box for improved usability.|
On CentralAuth wikis, the eval.php script has the effect of updating the globaluser table (gu_email and gu_email_authenticated) and then clearing the relevant memcached key.
|The above content has been placed in a collapsed box for improved usability.|
Two-factor authentication removal
Before following these steps, if the user has an existing device available that has worked with 2FA in the past but has suddenly ceased working, ensure the user's 2FA device has an accurate clock. The clue is in the name of the 2FA method we use - Time-based One-time Password Algorithm - if the clock on the device is too far off it must generate the wrong codes (it has happened with e.g. 2 minutes difference). :)
Wikimedia or wikitech two factor authentication removal
Be careful! This process is highly vulnerable to social-engineering attacks. Don't reset things just because a user asked you on IRC or via email. Before resetting someone's login, be sure to confirm their identity:
- If you recognize them, have a face-to-face meeting or one in a video chat.
- If someone on WMF staff recognizes them, have a three-way video chat where a staffmember vouches.
- Have the user write a request to disable 2fa in their home directory on a Cloud VPS or Toolforge bastion.
The maintenance script works both for wikitech 2FA and SUL 2FA, but has to be run from a different host for wikitech (see also Maintenance server):
For wikitech 2FA, run the following on a wikitech host (cloudweb1003 or cloudweb1004):
mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=labswiki <username>
For SUL (Wikipedia etc.) 2FA, determine a wiki on which the user exists locally (i.e. has contributions), and then run the script on mwmaint1002 using that wiki:
mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=<wiki> <username>
Privileged user groups may also use Special:DisableOATHForUser to remove 2FA from any user account. Its use is logged at Special:Log/oath. This requires the oathauth-disable-for-user right. On Wikimedia Foundation production wikis members of the Staff and System administrator global groups, and WMF Trust and Safety local Meta-Wiki group have it.
The user can then log in using just their password and re-add two factor authentication.
Phabricator two factor authentication removal
- Requesting a 2FA reset for a Phabricator account: mw:Phabricator/Help/Two-factor Authentication Resets
- Performing a reset as a Phabricator admin with shell access: Phabricator#Removing Two Factor Authentication
Reset user password in LDAP
To reset a user password in LDAP (wikitech wiki user), a root or member of admin group ldap-admins can:
- install the slappasswd utility locally (it's inside the slapd package)
- use slappasswd to hash a new password (SSHA password)
- ssh to an mwmaint server (ssh mwmaint1002)
sudo modify-ldap-user <username>(replace
<username>with the actual user)
- paste the SSHA password hash line and :wq
- when logging in on wikitech ensure the exact spelling is used, capitalization matters and not just the first letter either
Attaching an account to Wikitech
On occassion, the owner of an account created via Striker that was never used to log in to Wikitech forgets their password. Because of T174469, such accounts are not connected to Wikitech and Special:PasswordReset does not work for them. Those accounts can be manually attached Wikitech to make Special:PasswordReset work, letting the user to self-service the reset.
The attaching process is as follows:
- Locate the user's LDAP account. This can be done via ldapsearch utility from Toolforge/mwmaint1002, via Phabricator account details, or via other tools.
- Get user's cn (Wikitech's account name) and email address from LDAP.
- SSH to a cloudweb host (ssh cloudweb1004.wikimedia.org)
mwscript extensions/OpenStackManager/maintenance/attachLdapUser.php --wiki=labswiki --user='$LDAP_CN' --email='$LDAP_EMAIL', replacing $LDAP_CN and $LDAP_EMAIL with the values taken from LDAP.
- Instruct the user to use Special:PasswordReset at Wikitech.