Page MenuHomePhorge

Don't give bad password advice when resetting password
Closed, ResolvedPublic

Description

Upstreaming from https://translatewiki.net/wiki/Thread:Support/About_Phabricator:phabricator-people-148aaf2e06c62283/fr:_extremely_unsecure_suggestion!#About_[[Phabricator:phabricator-people-148aaf2e06c62283/fr]]:_extremely_unsecure_suggestion!_61310 and https://phabricator.wikimedia.org/T313023


Steps to replicate the issue (include links if applicable):

The embedded hint is the worst ever suggestion by Phabricator I have ever seen or any Wikimedia project:

After you set a new password, consider writing it down on a sticky note and attaching it to your monitor so you don't forget again! Choosing a very short, easy-to-remember password like "cat" or "1234" might also help.

If it is followed, it completely destroys the usefulness of paswords, allowing anyone to easily take controls of accounts; bots would easily target these accounts as well. Various projects have strong requirements about the choice of good password (notably for administrator accounts, or accounts created for privacy and whose owners could become source of legal threats when editing sensible articles like those about war in Ukraine, or LGBTQI+ topics, or accounts used for development with the review of edits, or approval and integration of changes in code or policies). As well noting passwords on PostIts is not secure at all.

This is also a very bad suggestion for any other web site: users are instructed everywhere to NEVER use those "easy" tricks that break all best recommendations made by many authorities and project managers (and even by Wikimedia itself).

Given the now very HUGE risk of third party attacks now on the web (where personal account details are stolen by tens of millions, even on very popular sites that were supposed to be secured, including massive attacks against popular wikis), we need stronger paswords stored in safe places, and that are also unique for each site (so that users of the wiki will also NOT reuse their passwords for their other critical accounts such as their bank, merchant sites, gaming sites, or other professional websites, or government and social security websites).

In all cases, that statement quoted above should be discarded completely. It is much safer to forget a password that you can change again by asking to the website to submit a request to generate a temporary password which which you can reconnect and change immediately on first logon.

Instead, we should instruct users to consider using password managers (that can help generating strong passwords, and that can save them in a secured store). Today, password managers are integrated in most major web browsers, and allow synchronizing them across multiple devices, or can be integrated as plugins for most browsers or as acessibility companion apps for mobile devices.

Good password managers can also give hints when some known sites have been hacked or when user passwords that were harvested on users's devices or stolen on legitimate sites but found on the dark web were they are republished or resold.

I hope this is not a joke, but such joke on this kind of security-related topic should be removed.

Event Timeline

Admins of any Phorge installation are free to enable serious-business if they do not like such jokes and/or assume that users in their installation would happily follow such instructions...

I upstreamed this as a largely procedural action (go through all requests for source message changes in translatewiki.net that haven't been resolved and move them up to Phorge so they can be evaluated properly rather than ignored).

But on my own opinion it still seems like there's a fundamental difference between other humorous Phabricator messages and giving bad password advice in 2024 in an email message. And the context does not make it clear enough it's a joke.

Note that phabricator.serious_business is disabled on this install.

Using a password in 2024 is a bad advice in general.

In almost all installs of Phorge, the expectation is that password login isn't enabled, and you'd use some oauth/sso from the rest of your network.

Also, from the links provided, it looks like someone saw this message in the translation db, not in an actual email? And got offended? And complained on WMF, where this feature is disable?

That sounds like high "hypothetical problem" to me.

"And complained on WMF, where this feature is disabled?" is true but misleading IMO - there was nowhere better to complain than WMF's instance since this took place after Phabricator was abandoned but before Phorge's initial release, and WMF's instance has received numerous other reports of Phabricator translation problems that were later redirected here or to old upstream.

But yes, the original source of this complaint was the translation DB. So if you think that means the issue should be ignored then so be it.

Quoting an alternative suggestion from the diff to keep this in one place:

Well, I understand why this patch completely removes that joke.

If the root problem is that somebody may think it's not a joke, maybe we can just clarify.

Kind of:

-After you set a new password, consider writing it down on a sticky note and attaching it to your monitor so you don't
+Oh, have you that (bad) friend that writes ....? ... Well. That company was closed. So, keep your secrets, as secrets.

Or something like that. Be creative.

avivey claimed this task.