Last modified: 2014-10-08 19:31:58 UTC
When someone gets a password reset email from us these days, it does not contain an "if you did not request this password reset, click here to cancel". This sort of language is becoming pretty standard; Facebook says "Didn't request this change? If you didn't request a new password, let us know immediately [LINK]." Key to note: the "let us know immediately" doesn't actually have to *do* anything; it still reassures people just by existing. (I'm bringing this up because one of our outside counsels forwarded me an email and asked "what should I do?"; having a link like this would have reassured him.) Marking this minor because the lack of this does cause some consternation for users, and isn't best practices, but isn't a security bug per se.
Noting we already have this sort of thing on our email confirmation process. (In reply to comment #0) > "Didn't request this change? > If you didn't request a new password, let us know immediately [LINK]." > > Key to note: the "let us know immediately" doesn't actually have to *do* > anything; it still reassures people just by existing. (I'm bringing this up > because one of our outside counsels forwarded me an email and asked "what > should I do?"; having a link like this would have reassured him.) Shouldn't it at least invalidate the temporary password sent? Seems a bit silly not to This should be fairly easy to implement...
All sorts of things it could do (invalidate password, record the IP to see if we should block an IP temporarily from password resets, etc.) But I leave that up to the implementation :)
For reference if someone not so familiar with MediaWiki wants to take this on.. For email confirmation we use the message 'confirmemail_body', which has the text below. 'Someone, probably you, from IP address $1, has registered an account "$2" with this email address on {{SITENAME}}. To confirm that this account really does belong to you and activate email features on {{SITENAME}}, open this link in your browser: $3 If you did *not* register the account, follow this link to cancel the email address confirmation: $5 This confirmation code will expire at $4.', Versus for password reset 'passwordremindertext' we have 'Someone (probably you, from IP address $1) requested a new password for {{SITENAME}} ($4). A temporary password for user "$2" has been created and was set to "$3". If this was your intent, you will need to log in and choose a new password now. Your temporary password will expire in {{PLURAL:$5|one day|$5 days}}. If someone else made this request, or if you have remembered your password, and you no longer wish to change it, you may ignore this message and continue using your old password.',
(In reply to comment #0) > When someone gets a password reset email from us these days, it does not > contain an "if you did not request this password reset, click here to > cancel". > This sort of language is becoming pretty standard; Facebook says > > "Didn't request this change? > If you didn't request a new password, let us know immediately [LINK]." > > Key to note: the "let us know immediately" doesn't actually have to *do* > anything; it still reassures people just by existing. (I'm bringing this up > because one of our outside counsels forwarded me an email and asked "what > should I do?"; having a link like this would have reassured him.) Actually I think it's not okay to mislead the user like that. If we include a cancel link, it should either: A) invalidate the temporary password sent B) set a flag on the account or otherwise actually report the issue to someone who can help the user ensure their account is secure We don't have a cancel link currently because, just like on the actual form, we don't actually require the user to take action to not reset their password. The password reset email doesn't actually reset your password, it just provides you the ability to do so if you want. If you don't want, you can ignore the email and keep using your old password. If users are confused, I would suggest clarifying language that says what they should do if they don't want to reset their password. Is there something already in there along these lines?
Change 147496 had a related patch set uploaded by Rohan013: Add "cancel this" link to password reset emails https://gerrit.wikimedia.org/r/147496