MediaWiki talk:Passwordremindertext

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Adding server name[edit]

Should we make this more obvious that it's for the English Wikipedia?

I forget my password in all the wiki's i've joined, and it can be confusing when looking back at email to try and figure out which password goes with what. Tristanb 03:54, 4 Sep 2004 (UTC)

Please include in this message the variable {{SERVERNAME}} (gives en.wikipedia.org) to make clear from which wiki the email is sent and explain that you don't have to change your password but your old one still stays valid. Some poor user just came to #mediawiki and complained about that he had to change his password so often because other people hit the button for him. --Elian Talk 18:28, 2 September 2005 (UTC)

Changed to address these comments. Mindspillage (spill yours?) 18:37, 2 September 2005 (UTC)

Abuse prevention?[edit]

I just received a password reminder that I didn't request. I understand that it's a security feature that a new password is sent to an address that's supposed to be under my control. I guess I'm not worried that my account has been compromised, but maybe the message should provide a clue of how to report a cracker's IP for an abuse investigation? Does anyone have the time/desire/skills to perform such an investigation, or am I dreaming? :-) -- Ventura 18:00, 15 September 2005 (UTC)

I do not think that this is possible for someone to perform such an investigation. --Siva1979Talk to me 18:22, 31 July 2006 (UTC)

I've received two of these over the last year. What I would recommend is that the standard password reminder text sent with the temporary password include an address to forward the message to in order to report a fraudulent request; the request IP and perhaps the user name (but not the temp password!) could be listed on an available page. A pattern of fraudulent requests coming from a single IP might become worth investigation and complaint. Such would be an attack on Wikipedia. A single incident, I'd wonder about it, but probably not worth investigating.

As it is, I have no idea if the reminder I just got was from someone specifically trying to access my account or was from a massive attack targeting many different users whose names were automatically extracted. With enough of these, and thus a reduced dictionary attack seeking the temporary passwords, which are relatively short, getting in would be substantially easier.... my temp password was 7 characters, only letters and numbers, mixed case. If it was the latter, I'm less worried personally but more worried for Wikipedia. It should be possible for the user to quickly, right from their email program, cancel the temporary password, and the same action could create the necessary report.Abd 16:15, 13 April 2007 (UTC)

Overhaul[edit]

I have significantly modified this system message, because I felt the old one was too technical, stale and did not explain the whole two-simultaneous-passwords thing very well at all. - Mark 09:27, 24 January 2007 (UTC)

Add temp password timeout info?[edit]

Suggestion: at the end of the main text, can we add "Unused temporary passwords automatically expire in 7 days." Thanks. --Lexein (talk) 08:17, 23 September 2011 (UTC)

Why? ~~Ebe123~~ (+) talk
Contribs
10:32, 23 September 2011 (UTC)
It's relevant and helpful to users. It is evidence of a best-practice security policy, both the fact (unused temp passwords timeout), and its duration (seven days). It addresses two cases
  • requested, but no longer needed (remembered the original password), and
  • unwelcome requests made by others (which results in an unwelcome and slightly alarming email)
by reassuring the email recipient that the temp password will go away. It was just researched over at the Help Desk. --Lexein (talk) 12:55, 23 September 2011 (UTC)
Good suggestion. plus Added — Martin (MSGJ · talk) 17:49, 23 September 2011 (UTC)