Page MenuHomePhorge

Reword joke password reset email message
ClosedPublic

Authored by pppery on May 25 2024, 01:14.

Details

Summary

Closes T15840

Test Plan

Send an I forgot my password email with serious business mode off and see the updated email

Diff Detail

Repository
rP Phorge
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

pppery requested review of this revision.May 25 2024, 01:14

And yes, I did read https://we.phorge.it/book/phorge/article/tone/ before filing this patch. You are welcome to berate me (and by extension Verdy_p on translatewiki.net, although they've been blocked there so the chance of them seeing anything you say is low) anyway.

Well, I understand why this patch completely removes that joke.

If the root problem is that somebody may think it's not a joke, maybe we can just clarify.

Kind of:

-After you set a new password, consider writing it down on a sticky note and attaching it to your monitor so you don't
+Oh, have you that (bad) friend that writes ....? ... Well. That company was closed. So, keep your secrets, as secrets.

Or something like that. Be creative.

Agree the current non-serious language needs updated. Maybe something like,

“Promise not to forget your next password we’ll let you reset it here: {link}”

src/applications/people/mail/PhabricatorPeopleEmailLoginMailEngine.php
91

Interestingly a case of “Phabricator” we must’ve missed in updating/removal

In D25671#18360, @speck wrote:

Agree the current non-serious language needs updated.

Though, I’d guess Phab/Phorge will actually reject these short passwords.

In D25671#18362, @speck wrote:
In D25671#18360, @speck wrote:

Agree the current non-serious language needs updated.

Though, I’d guess Phab/Phorge will actually reject these short passwords.

It will. There's a configurable minimum password length, and also a hardcoced password blacklist at https://we.phorge.it/source/phorge/browse/master/externals/wordlist/password.lst

src/applications/people/mail/PhabricatorPeopleEmailLoginMailEngine.php
91

And also trailing whitespace in a message (T15842)

Abiding by the law of triviality, after nine meetings the Working Group that I set up for this task came up with this proposal:

After setting a new password, consider writing it down on a sticky note and attaching it to your monitor so others can impersonate you at any time. Choosing a short, easy-to-remember password "like \"cat\" or \"1234\" might also help to get your machine hacked, your bank account emptied, or your company ruined.\n\nBest Wishes,\nPhorge\n

As usual, Poe's law applies.

Wanna cook up a new revision here, or should I create a separate patch? :)

Update to Andre's suggestion

pppery retitled this revision from Remove joke password reset email message to Reword joke password reset email message.Jun 4 2024, 17:12
pppery edited the summary of this revision. (Show Details)
pppery edited the test plan for this revision. (Show Details)

Actually do that, since I screwed up before

Fix a double space after testing

I like the change in language here, but maybe a total rewrite of the text is better. My take:

When setting a new password. please keep it safe, using a trustworthy password manager and a randomly generated password.
We thank you, your administrator thanks you, and you'll thank yourself in the future.

In the unlikely event you that absolutely don't intend to keep it safe at all, you might choose instead, to:

  • Write it down on a sticky note, put it on your monitor, and hope nobody else uses it on %s.
  • Use the same password you've already used, especially for your e-mail and bank account.
  • Use easy-to-remember, easy-to-guess passwords, like "12345abcde".

Modern security advice considers these practices "a bad idea".
If you're already doing any of these, here or elsewhere, you might want to consider the account compromised.

I understand the points. Third proposal, starting with useful tips (good idea), and shorter:

When setting a new password, it should be new, unique, strong, and random. Keep it safe, only using a trustworthy password manager.
Also, please remember these boring security practices, straight from the 1980s:

  1. Your monitor should not have a yellow sticky note, with your password on it.
  2. Your e-mail, your social networks, your bank, your %s, your nuclear armament, should all have very-different passwords.
  3. If you are out of imagination, use a strong password generator. But please, please, please, avoid smart ideas like "1234asdf".

Wow. With my proposal is not funny anymore. OK I will refrain myself from contributing here. But I personally like the new proposal from Andrè and @pppery. Personally approving.

@valerio.bozzolan: Y U so sirious??? :D

Well, I always feel a bit bad for translators (I already felt bad for my own proposal) the longer the text gets, so I'll simply +1 and we can move on to other very important stuff... shrug

This revision is now accepted and ready to land.Jun 5 2024, 09:17