Help talk:Login notifications

I would advice to have a paragraph on the help page to give advice about defining a strong password. That would help users who are not familiar with that concept. Trizek_(WMF) (talk) 09:51, 29 August 2017 (UTC)Reply

correcthorsebatterystaple!

+1, good idea.

We have these existing options, that could be copied (with attribution) or adapted:

• "Select strong passwords -- eight or more characters long, and containing letters, numbers, and punctuation." - m:Security/Password reset
• long and detailed page, with one specific section, at m:Make sure you have a password
• "The strength of a password is a function of length, complexity, and unpredictability" - w:en:Password strength
• "As a rule of thumb, a password that is reasonably long, with a mix of upper and lowercase letters and numbers, and not mostly made up of dictionary words or names or personal information (date of birth, cat's name, etc.) is likely to be reasonably strong for everyday use. Passwords that consist of just lowercase letters can also be reasonably strong, but they must be significantly longer" - w:en:Wikipedia:User account security Quiddity (WMF) (talk) 22:39, 29 August 2017 (UTC)Reply

Actually, the documentation page should tell – when possible – if the current password seems strong enough. This might be implemented by something like adding a boolean "strong_password" which is set at the same time as the password, with a default value of nil which means "don't know". You might also try to run john the ripper or something like that to fill this boolean, but that might be a huge computation load for a very doubtful benefit. Psychoslave (talk) 22:02, 26 December 2017 (UTC)Reply

I've updated the page.

The Special:CreateAccount page should definitely have a way to get say to user how strong the password is. I've been able to create an account with "toto" as a password... There is a ticket for that. Trizek_(WMF) (talk) 15:17, 16 January 2018 (UTC)Reply

After just logging in for the first time in awhile, I got a notification that "Someone (probably you) recently logged in..." etc. (Popping up after I had logged in, so that was the cause of it.) Based on the description of this feature and the 'Add some information about success login from new device' thread below, I'm pretty sure this is not intended behavior? (note: I don't have successful-logins emails enabled, either.) The Bushranger (talk) 09:18, 2 September 2017 (UTC)Reply

You're right, it's not intended. This bug is being tracked here: T174220. We're working on tracking down the cause and getting it fixed. Thanks for the report! NKohli (WMF) (talk) 21:09, 2 September 2017 (UTC)Reply

No problem. :) As a follow-up, after several logins in the spanning time without it happening, I just had it happen again, so this is still a continuing issue. The Bushranger (talk) 05:34, 21 September 2017 (UTC)Reply

Same here. In my case, I had copied and pasted the password but this triggered a rejection, yet when I typed the identical password and logged in successfully, I started getting notifications that someone had attempted and failed to access my account. I can't get rid of this notification now, and don't want to change my password, since there was no breach of security in the first place. ~ Chrisdevelop (talk) 00:06, 2 April 2018 (UTC)Reply

Click on the blue circle in top right of the notification to clear it. SilkTork (talk) 09:09, 4 May 2018 (UTC)Reply

The section on "What should I do?" tells you that you should have a strong password, but it doesn't tell you what to do if you already do. Even a mention of "that's it" would be good. GPHemsley (talk) 22:54, 5 September 2017 (UTC)Reply

Thanks for the idea. I added this sentence: "Even if you do have a strong password, you may want to change passwords anyway, if you suspect that someone else has tried to access your account."

Do you think that's helpful? DannyH (WMF) (talk) 17:03, 6 September 2017 (UTC)Reply

I think that's helpful, but I don't think it fully addresses my concern: Basically, ensuring you have a strong password is the only action you can take as a user who is receiving these notifications. That point should be made explicit, I think, or else the user will be left asking "OK, now what?" GPHemsley (talk) 01:01, 7 September 2017 (UTC)Reply

Hmm, what would you suggest? DannyH (WMF) (talk) 17:16, 7 September 2017 (UTC)Reply

I'm not sure, as I don't have a full understanding of what causes these notifications. Jumping off from some other threads here, maybe a suggestion as to the possibility that your devices are attempting to log in for you while you are traveling? GPHemsley (talk) 21:12, 8 September 2017 (UTC)Reply

I think that the current sentence is very misleading.

"Even if you do have a strong password, you may want to change passwords anyway, if you suspect that someone else has tried to access your account."

Someone who already has a strong password will not in any way benefit from changing their password unless they already got hacked.

Also, it probably shouldn't be plural? (passwordS?!) Or does Wikipedia support a multi-password login mechanism?

There was a paper out there about this very topic but I can't find it now. I probably have a copy on my drive, somewhere, but with a good 1Tb of data... Oh well. Anyway, the definition of a "strong password" is also extremely blurry. A very long passphrase can be a lot better than a "super complicated" 8 chars password. Alexis Wilke (talk) 23:32, 3 May 2018 (UTC)Reply

Thanks for warning me, but to contact me this way every time I make a typo in my password is an exaggaration we do not like. Some people may get scared to death (sorry for doing the same LOL) or insulted by thinking "I know my password is so strong that I mistype it myself sometimes".
Kind regards from (temporary) Egmond aan Zee, Klaas `Z4␟` V:  07:00, 4 May 2018 (UTC)Reply

BTW: can you tell me what IP-address tried to enter in a WMF-site in my (user)name? Klaas `Z4␟` V:  07:16, 4 May 2018 (UTC)Reply

Hi KlaasZ4usV -- over the last day, there was a large-scale attempt to break into random Wikipedia accounts. The vast majority were unsuccessful, and the Wikimedia Foundation's security team has stopped the attacks and communicated with the small number of people whose accounts may have been compromised.

There's more information in this post by the Director of Security on the Wikimedia-L mailing list. DannyH (WMF) (talk) 17:47, 4 May 2018 (UTC)Reply

I have the Wikipedia mobile app installed on both my phone and my tablet (both Android devices), and I have seen a significant uptick in the last couple of months of notifications of a multitude of failed login attempts that seem to coincide with my having opened the app, perhaps with a less-than-reliable internet connection. Is this a known issue? GPHemsley (talk) 23:25, 31 October 2017 (UTC)Reply

We haven't heard this before, thanks for your report. I created a bug ticket for it, if you want to follow it: phab:T179518

I have a question -- There's two types of notifications: are the ones you're getting about failed login attempts, or successful attempts from an unfamiliar device?

If the app is triggering them, I would think the "successful attempts from an unfamiliar device" notifications would make more sense than the failed attempts -- but if you're getting failed attempt notifications, then there really is something odd going on here. :) DannyH (WMF) (talk) 17:49, 1 November 2017 (UTC)Reply

I've gotten repeated notifications about failed logins for my account on German Wikipedia for days now. Is there anything else I can do about it besides having a secure password? Cuchullain (talk) 18:44, 14 November 2017 (UTC)Reply

@Cuchullain that is sufficient. You can turn off the failed login attempt notifications if they get too annoying. NKohli (WMF) (talk) 18:56, 14 November 2017 (UTC)Reply

I've also received repeated notifications (sometimes 5 in half an hour) . This past week I've received 20 notifications. I've got a strong password but it concerns me that there is the possibility to make so many attempts. Gerardduenas (talk) 08:20, 5 December 2017 (UTC)Reply

@Gerardduenas you need not be concerned. The possibility to make attempts is on every website and not something we can control. NKohli (WMF) (talk) 12:12, 5 December 2017 (UTC)Reply

There are some control that can be done, and I think are actually done, like blocking further attempt from an IP/device to log on an account until some emailed link was consulted. I don't know the exact policy regarding this though, and adding some link about this topic on the Login notifications page would be interesting I guess. Psychoslave (talk) 21:50, 26 December 2017 (UTC)Reply

Go on. Who is the joker who thought SUL, failed login notifications and having to disable them on each and every wiki was a clever thing? What a shower of utter shit. It's no wonder I can't be arsed to contribute to this bollocks any more. Maybe Sanger and his distributed encyclopedia needs a hand. Utterly dim witted. Pedro (talk) 23:02, 13 December 2017 (UTC)Reply

Thanks for the glorious description, @Pedro. To answer your question, it was a community decision to enable the notifications on all wikis and not the way we deployed it originally. You may wish to talk to @IKhitron about this. NKohli (WMF) (talk) 03:44, 14 December 2017 (UTC)Reply

Hi @Pedro - I'm sorry you're getting too many notifications. Can you give us a little more information about what's happening?

What I'd like to know is: are you getting multiple notifications from the same wiki, or from lots of wikis? Are they notifications about other people trying to log in with your account, or are they about you logging in from an unfamiliar device?

Any details you can give us would help. DannyH (WMF) (talk) 18:18, 15 December 2017 (UTC)Reply

I suggest that this tool is basically useless (at least is useless to experienced users) unless there's notification of the IP address from which the login attempt has been performed.

Today (26 December 2017) I received 7 (seven) e-mails in a row from 2:45 UTC+1 until 3:03 UTC+1 that read that on en.wiki an anonymous user had tried to log in (my home wiki is it.wiki, as a matter of fact). Later in the afternoon I received same notification that on zh.wiki there had been three attemts from 15:57 UTC+1 to 15:58 UTC+1.

Rather than recommending to an established (13+ years) user (who happens also to be an administrator on Wikimedia Commons :-) ) to adopt a strong password, could this tool provide them with the IP of the lamer who tries to get in with someone else's credentials? Blackcat (talk) 17:54, 26 December 2017 (UTC)Reply

What would you do with this IPs? Psychoslave (talk) 21:45, 26 December 2017 (UTC)Reply

Well, first of all to determine where the attempt comes from.

Then I have a base to report to the law enforcers this attempt, because in our legislative system both attempting to enter to an online system with false or stolen credentials and attempting to steal the said credentials is a crime. Blackcat (talk) 21:56, 26 December 2017 (UTC)Reply

Ok thank you for this information. Psychoslave (talk) 22:31, 26 December 2017 (UTC)Reply

Hi @Blackcat, there is a ticket for this (T174388) that is currently being worked on by a volunteer developer. We've received similar feedback from other users and are keeping an eye on the progress of this task. Thanks. NKohli (WMF) (talk) 11:44, 29 December 2017 (UTC)Reply

yes, @NKohli (WMF), thanks, the problem is that the developpers are lost in pointless issues. Technically can be done, is not up to them to worry about the privacy issues , I don't know what to do with a warning that doesn't explain me which IP has attempted to steal my credentials, and that doesn't allow me to report it to the law enforcers. Blackcat (talk) 22:11, 29 December 2017 (UTC)Reply

are there any news on this subject ? A1000 (talk) 11:54, 4 May 2018 (UTC)Reply

Basically they don't want to disclose IPs. Blackcat (talk) 12:30, 4 May 2018 (UTC)Reply

@A1000 It's still under development. For the login attempt notifications you are seeing currently, it is a large-scale attack and the Operations team knows and is working on it. Please see the statement made by the security team yesterday for more information. NKohli (WMF) (talk) 17:47, 4 May 2018 (UTC)Reply

Thx for info, i am one of those guys who have logins at several wikis and use different computers to connect them what means i have no enought information from the current mail to see if there is a problem or if i triggert a warning accidently A1000 (talk) 11:01, 5 May 2018 (UTC)Reply

I'd also like to see the IP address as I've been getting failed login attempts: not many, but enough to spook me. Wikipedia isn't afraid to show people's IP address when someone edits something if not logged in, so why the reticence if someone's doing something wrong? Vometia (talk) 10:47, 7 May 2018 (UTC)Reply

Because they don't really want to solve the issue. Blackcat (talk) 11:31, 7 May 2018 (UTC)Reply

Alternatively, if there's some kind of privacy concern, give us the rough location of where the attempt is coming from, or the first few numbers of the IP address. I kept getting mails like "Someone from China tried to log in on your account" on another website, which made it obvious to me that my account name was just on some list on a Chinese hacking site that was used in brute-force attempts. Knowing that would reassure us that we just need a strong password and can otherwise ignore it. If it says it's from my rough area, I'd assume it's a problem on my end like the cookie accidentally getting deleted. Prinsgezinde (talk) 13:39, 7 May 2018 (UTC)Reply

Bureau for the Complication of Simple Issues. And they are not even Italians.... Blackcat (talk) 15:10, 7 May 2018 (UTC)Reply

We would love to send people the IP address, but this is more complicated than it sounds, mainly due to privacy issues and the GDPR. Discussions are ongoing, but unfortunately we are not going to be sending the IP addresses in the immediate future. If the notifications aren't useful to you because of that, feel free to turn them off in your preferences. Sorry we don't have a better solution at the moment. Ryan Kaldari (WMF) (talk) 09:51, 19 May 2018 (UTC)Reply

Ryan, you are an intelligent person. You understand by yourself that a warning of failed attempt access without the ip is completely useless.So you'd better remove that tool at all. Blackcat (talk) 10:00, 19 May 2018 (UTC)Reply

I'm being notified about login from a new device when I just log in from my usual device using a new network. The message claims I logged in from an new device not that I logged in using a new network(Login to Meta as Kaartic from a computer you have not recently used ...). Further, identifying a device using the network address doesn't seem nice idea to me. Network addresses aren't tied to the device so strongly. Also, it triggers lots of false positives as in my case.

Hope a better alternative was used to identify new devices correctly and appropriately.

Note: This all relies on the assumption that devices are identified using the network addresses. If that's not the case, please help me find why I see false positives. Kaartic ^[talk] 17:22, 1 February 2018 (UTC)Reply

When we say device it's actually the browser. It checks for both browser AND IP address. It places a cookie in your browser so next time you login from same browser, it doesn't warn you. And in case of no cookie, it checks whether your account has previously performed any actions from the IP address you're logging in from. This is done by consulting the CheckUser table(s).

If you use incognito mode or clear your cookies manually AND change your IP address then you will receive this notification.

The language used is intentionally simple in order to not confuse people with complex jargon.

I hope this clarifies stuff. :) NKohli (WMF) (talk) 19:04, 1 February 2018 (UTC)Reply

If you use incognito mode or clear your cookies manually AND change your IP address then you will receive this notification.

I was reporting this because I didn't satisfy the above condition. (I guessed you would be using cookies in some way). To be more clear I got the notification when I logged into a browser I use day to day. The only odd thing was I was on a new network. But Wait! I'm a user of multiple browser profiles. So, there's a possibility that I haven't previously logged into Wikipedia in the particular profile. So, there's a possibility that the cookie might be missing. But I do mildly remember logging into Wikipedia at least once on every profile I use in my browser.

To conclude, consider this "Stalled" until I'm pretty sure that I get notifications when I log into a browser profile that I've previously used. (I suspect the cookies are somehow vanishing surprisingly from my browser: T151770 ??) Kaartic ^[talk] 06:45, 3 February 2018 (UTC)Reply

In this case, how is it possible for me to find the IP address of the attempt source? Also, is it possible to which site the login was attempted, because I have global login. This is the first time I received such a message since I registered as a member. Currently, I test and work with two browsers, Firefox and Vivaldi, both in Windows and in Linux Mint. — Ineuw talk 00:23, 4 May 2018 (UTC)Reply

@Ineuw Hi, this is a widespread login attempt attack happening to a lot of user accounts today. See discussion on the enwiki village pump. The operations team is aware of this and we have banned the bot(s) trying to do this. You don't need to worry about it if you have a secure password.

The feature to show users the IP address of the attempt is still in the works and not live yet, unfortunately. Sorry about that. :( NKohli (WMF) (talk) 00:59, 4 May 2018 (UTC)Reply

showing the IP is one thing... we should also be shown the device name... that's what i'm more interested in since it is how i identify my devices... that would let me know if someone is trying to duplicate my device or, with the IP number, maybe i can find a lost or stolen device... Wkitty42 (talk) 04:28, 8 May 2018 (UTC)Reply

@Wkitty42 Device name is private information which we do not store on our databases. We try to collect as little information as we have to, to maintain privacy for our users. If you want a feature to find a lost or stolen device, you can make use of features that Google and some other apps provide. NKohli (WMF) (talk) 17:09, 8 May 2018 (UTC)Reply

Hey, Kante4 here. Yesterday i had a notification about a failed log in attempt and created a new password as adviced. But somehow i can't login with this. The e-mail i had here is old i think, which means i can't get a new one. Any advice how to get my old account back? 109.91.152.164 (talk) 08:28, 4 May 2018 (UTC)Reply

In which way you created new password? Used reset or changes after login? wargo (talk) 08:52, 4 May 2018 (UTC)Reply

On mediawiki after i got a message because of an failed attempt while i was not at home. https://www.mediawiki.org/w/index.php?title=Special:UserLogin&returnto=Special%3AChangeCredentials&returntoquery=&force=ChangeCredentials was the adress if it helps. 109.91.152.164 (talk) 08:57, 4 May 2018 (UTC)Reply

And it was told to me that i should change one. It worked all good yestrerday after that but today i was logged out and can't login which either password. I requested a new one to my e-mail actual adress but that is the one i had in my preferences sadly. So not sure if one is sent or can't because it is not my one here. 109.91.152.164 (talk) 09:02, 4 May 2018 (UTC)Reply

Maybe i should have not changed my password. 109.91.152.164 (talk) 09:07, 4 May 2018 (UTC)Reply

Are you definitely no longer in control of your email address attached to this account? So Special:PasswordReset does not work? Have you checked your spamfolder? :) JSutherland (WMF) (talk) 22:31, 7 May 2018 (UTC)Reply

It's always possible this is just a mistake or something we personally did. It's more useful for us to see some info, like the browser and IP geolocation (If not the IP address itself). This is how other sites do it, and I've definitely caught some times where it was just me.

If there is a way to get this info, please make it clearer. As is, I can't tell if my latest attempt is something I care about or not. The timing was weird. Trlkly (talk) 11:54, 4 May 2018 (UTC)Reply

Yes, that would be very important. And perhabs, which Wiki* the login was.

I got the mail today and i feel very uncomfortamble. I looked at the the Wiki*, I use often, and there are no unknown posts. But the Wiki*, i do not use?? Riepichiep (talk) 03:38, 10 May 2018 (UTC)Reply

Hi Trikly -- over the last day, there was a large-scale attempt to break into random Wikipedia accounts. The vast majority were unsuccessful, and the Wikimedia Foundation's security team has stopped the attacks and communicated with the small number of people whose accounts may have been compromised.

There's more information in this post by the Director of Security on the Wikimedia-L mailing list. DannyH (WMF) (talk) 17:49, 4 May 2018 (UTC)Reply

Regardless, we should be able to see the browser/IP of the failed attempted logins. LaUr3nTiU (talk) 23:17, 4 May 2018 (UTC)Reply

If the IP address is visible on a wiki edit page unless the user has an account there should be no issue with giving the IP of the attempted login to the owner of the account that has been tried. If it is their own IP they will know it and if it is from somewhere else they will need it to report it to the authorities. The information about the IP being used is not being made public - it is simply being reported to the owner of the account. Lots of other systems do that by saying "This IP tried to log into your account - if this is your own IP no further action is needed".

But also - if there is a known attempt ongoing it makes it less concerning to me than that someone is targeting me personally - for a site with issues about not having enough women and minorities, it would be good to know if a user is being targeted as a woman or a minority or that the whole site is being targeted. Antiqueight (talk) 14:07, 7 May 2018 (UTC)Reply

I'll just add to the already numerous criticisms of this ridiculous "feature' added in 2017. You say multiple attempts have been made but give us no other information. What device? Is it my phone? Have I unknowingly tried to log in to Wikipedia several times on my phone and failed? Why would anyone want to break into my account?

Then you say change my password. Ha! If they tried to break into my account and failed then how would changing my password stop them from trying.

Why don't you stick to reviewing articles on Wikipedia. ~ Dangnad (talk) 18:04, 7 May 2018 (UTC)Reply

Hi Dangnad -- there was a large-scale attempt last week to break into many random Wikipedia accounts. The Wikimedia Foundation's security team stopped the attacks, and posted information in this post on the Wikimedia-L mailing list.

It's stressful when you find out that someone's been trying to break into your account. I think in this instance, the notification feature successfully informed you that there was a problem, and it brought you here to get more information. :)

For me personally, the notifications were a good reminder to make my password harder to crack. Automated attacks like the one that happened last week run through a lot of word and number combinations, so it's good to be sure. DannyH (WMF) (talk) 18:22, 7 May 2018 (UTC)Reply

Just like Dangnad mentioned, it would be really useful if we can get more details about the failed attempts. Was I drunk last night and I tried to login? Was it on my phone/desktop/laptop? Was it a different person from a different country trying to hack into my account? Just giving a random information and the assurance that the Wikimedia staff blocked the attempts if not enough. LaUr3nTiU (talk) 16:07, 9 May 2018 (UTC)Reply

Today I received "Multiple failed attempts to log in", but actually, this is not very useful for me.

I would like to know:

1 - which passwords had been tried? How close are the attempts to my password?

2 - how fast did the attempts come? Is there a program trying to guess my password or is it a human?

3 - Am I the only one or are there also other attempts on other accounts? Plenz (talk) 13:43, 7 May 2018 (UTC)Reply

Hi @Plenz. Good questions! I'll try to answer them. For the first one, we typically do not keep track of that information nor can we reveal them. This is because is someone's username is 'Plenzz' and they misspell it and use their password, revealing that password to you could be a privacy violation of their account. For more information in general, you can look at this graph. It's a little tricky to decipher. The huge spikes you see are caused by a bot/program which is trying to login to thousands of wiki accounts per second. Your account is not the only one affected. As usual, when things like this happen, engineers in Wikimedia keep a close watch on it and block the programs so they cannot login, but we cannot stop them from trying to login anyway. And also, you can always trust enwiki village pump to have more information about these things if they happen on a large scale. NKohli (WMF) (talk) 17:54, 7 May 2018 (UTC)Reply

If the password is available in the clear --that is, not Challenge–response authentication-- it would be interesting to have a check-passwd function which returns a number, rather than just a Boolean. For example, it could return the Levenshtein distance or variants thereof. While a 0 would mean "pass", positive distances, along with the number of attempts, could be used to estimate how close to guessing an attacker has gone. In other words, that would be a "real" password strength checker. Ale2006 (talk) 10:19, 10 May 2018 (UTC)Reply

@Ale2006 That's an interesting idea. We'll look into that although it would probably be challenging to implement because we don't store passwords when an attempt is made. We simply reject the login if there is a password mismatch. NKohli (WMF) (talk) 18:08, 10 May 2018 (UTC)Reply

I'd at least like to know what IP tried to log in, or where they logged in from. Or what device was used. That way I can find out if it wasn't just me. 72.199.184.243 (talk) 03:15, 14 May 2018 (UTC)Reply

@Ale2006 If wikipedia is storing hashed passwords (as they should!) then it would be impossible for them to recover the levenshtein distance from a password login attempt. Storing the unhashed password gives minimal useful information, and opens up a large attack vector for quickly retrieving a large number of passwords. Jcdyer3 (talk) 15:23, 28 August 2018 (UTC)Reply

The passwords are not stored in the clear. :) NKohli (WMF) (talk) 22:59, 29 August 2018 (UTC)Reply

My Internet Service Provider (ISP) changed the IP address on my high-speed cable modem last week, probably because the IP lease expired, and now I'm getting incessant email notifications of attempted logins from "an unknown device". IP leases expire after at most 7 months, or so, although they can be set to expire after shorter elapsed times. This same approach is being taken by Google, and last week they blocked no less than a dozen email accounts that I monitor for the same invalid reason. Monitoring IP addresses is simply not a viable way of screening for attempted break-ins. Wikimedia Foundation needs to shut this misfeature off, or provide a means for individual users to shut it off.  — Quicksilver^{T @} 19:00, 7 May 2018 (UTC)Reply

You can turn it off in your preferences -- in the Notifications tab, you'll find "Failed login attempts" and "Login from an unfamiliar device". Sorry that the feature was annoying you. DannyH (WMF) (talk) 00:54, 8 May 2018 (UTC)Reply

Thank you. Done.  — Quicksilver^{T @} 07:24, 8 May 2018 (UTC)Reply

It talks about "n failed attempts" but we don't see any of that, we see "multiple". Aisteco (talk) 11:57, 10 May 2018 (UTC)Reply

http://www.govtech.com/security/Widely-Used-Password-Advice-Turns-Out-to-Be-Wrong-NIST-Says.html says:

In 2003, when Bill Burr was a manager at the National Institute of Standards and Technology, he wrote guidelines for creating safe online passwords. The paper, memorably titled "NIST Special Publications 800-63," became the benchmark, its diktats followed by government agencies, corporations, universities and individuals.

Burr recommended creating passwords that were essentially weird nonsense words, chock-full of special characters and occasional capital letters and numbers. He also said people should change their passwords regularly. But he was wrong, and he admits it. "Much of what I did I now regret," he says.

It wasn't really his fault. At the time, he was mostly flying blind. He had to rely on common sense as much as technical expertise. Now, 15 years later and after major hacks of corporations such as LinkedIn and Twitter, computer analysts have the data to determine which kinds of passwords work and which don't. And so the National Institute of Standards and Technology has radically reworked its guidelines.

New recommendations from the National Institute of Standards and Technology call for people to create passwords that are "long, easy-to-remember phrases" -- a series of four or five words mashed together. This can be "harder for hackers to crack than a shorter hodgepodge of strange characters."

So, should we get rid of the advice that people should use Tr0ub4dor&3 instead of correcthorsebatterystaple? Banaticus (talk) 18:18, 18 May 2018 (UTC)Reply

Never used an iPad before and the screen's sensitivity to touch messed up my several attempts until I simply gave up. I was at the BAnQ library and I am sure that the IP address is known to Mediawiki. Everything is OK, I have a strong password, and as one can see there are no problems when using a keyboard. Ineuw talk 05:28, 1 September 2018 (UTC)Reply

Hello, I would like on my profile a list of IPs and Geolocations I have logged into Wikipedia with. This will help greatly in knowing where all I've been and used Wikipedia from. Please get this feature live as soon as possible. Thank you! NK97 (talk) 06:10, 25 September 2018 (UTC)Reply

I'm sorry, but it was myself trying to log in from my mobile device. :) I guess I should remember my passwords. @Avians Avians (talk) 17:19, 26 September 2018 (UTC)Reply

It seems everyone will gripe when something (perceived) "goes against the grain". I was hacked on a major website (the incident made national news) that involved a loss of money (that was replaced) so I would like to say thanks for the effort. I do not have to read between the lines to understand "IF" I attempted to log in and for 1000 reasons: Like missing a button with my tired eyes, forgot I changed the password, and because of a brain-fart, repeated the error, then hit the wrong button again, or logged in from an unknown browser or phone (etc...), I pretty much will know it is me that did this and can just ''ignore the message''. On the other hand; if it was not me (or my wife) then maybe it could have been a "hack attack". I am glad I get the notices (happened today) and can put up with some redundant messages, so thanks. Otr500 (talk) 23:09, 29 September 2018 (UTC)Reply

Hi Otr500, you describe the case when someone fails to login. In that case, I fully agree with your opinion. The base of the present thread, however, is a case in which you receive such a message everytime you successfully Login, only because the server does not remember, due to any reason such as problems with cookies, that you have already logged in from the same device. However, in the past six months, this happened only once or twice to me so that I think the Underlying problem has been solved. Bjs (talk) 10:41, 14 April 2019 (UTC)Reply

The suggestions in Help:Login notifications#Have a strong password are not really up-to-date.

You should not really emphasize the need of special characters or so. It is easy to mathematically calculate (see Wikipedia; n=length of password; k=character set to choose from) that longer passwords are much more secure than a same-length password with more special characters.

This also aligns with new policies by the NIST. See https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/ e.g. rugk (talk) 22:02, 13 April 2019 (UTC)Reply

Wikipedia needs to change this.

They should at least use a password reset or security questions similar to Gmail or Facebook.

E.G.

If you remember the date you join.

Identify the articles you've written.

OR

Then they give you a reset link with your E-Mail. Vampire Michella100 (talk) 11:34, 16 April 2019 (UTC)Reply

Sorry, but no. This is exactly the wrong way and also included in the new NIST guidelines. "Knowledge-based authentication" is out as it is totally insecure. (one can just look on Facebook and see most of these things or so.)

And what articles you've written is public too, so you cannot authenticate with that…

This is really only about clarifying the paragraph there… rugk (talk) 12:49, 21 April 2019 (UTC)Reply

This is not really a discussion, it is more a feature request but I posted here to guide me to the creation of the feature request if relevant.

I have a unified login. I get the email with title "Failed attempt to log in to Wikipedia as X" in multiple languages. When it comes from a language that I'm not sure recognize, I would like to have an hint from which Wikipedia the message comes. So far, I have to hover the "change password" link to see that the url is http://xx.wikipedia.org/

I suggest to improve the message saying : "Failed attempt to log in to Wikipedia (xx) as X". Jona (talk) 09:46, 18 April 2019 (UTC)Reply

...for example, the e-mail should say the IP address, the owner of the IP (based on a "whois" lookup) and the operating system that the user was on, and whether the login was successful or not. (The way that the message is worded, it sounds like the logins were successful, therefore, probably me! But this help article says that the feature is triggered for unsuccessful logins. Multiple unsuccessful logins should result in a message saying how many unsuccessful attempts there were.) 71.178.21.164 (talk) 01:00, 19 July 2019 (UTC)Reply

I think so. 42.3.134.250 (talk) 17:45, 20 July 2019 (UTC)Reply

I agree.-SharabSalam (talk) 09:59, 8 April 2020 (UTC)Reply

I agree.

• The IP address / location would be helpful. I'd like to verify the login attempts are not the result of something going wrong with one of my devices.
• I'd like to understand whether the IP trying to login eventually got blocked. Or are they allowed to continue trying to brute force their way in to my account? 98.110.130.20 (talk) 14:29, 9 January 2021 (UTC)Reply

I agree that the number of attempts would be particularly useful, to distinguish between a serious attempt to crack and someone not sure if this was their account name. Hv (talk) 16:02, 6 August 2021 (UTC)Reply

That's ridiculous, I am logged in Commons and he.wiki. I was able to log in even though my password is only 9 characters but not I cant do it. 79.182.37.52 (talk) 21:22, 16 September 2019 (UTC)Reply

Apparently there have been 42 attempts to log into my account from other devices in the past 24 hours. Why is it that, when someone asks for a password change, we are told the IP address they tried it from, but when they make an attempt from another device, we can't get this information? Deb (talk) 10:17, 9 January 2021 (UTC)Reply

Porque una la inicio desde el celular y la otra desde el lap top 186.145.113.176 (talk) 05:35, 12 January 2021 (UTC)Reply

I don't see how that's an answer. Every device has an IP address. ~ Deb (talk) 10:06, 12 January 2021 (UTC)Reply

This has been requested at T174388. Feel free to subscribe to that task to get updates Ciencia Al Poder (talk) 12:40, 12 January 2021 (UTC)Reply

I suspect that these notifications are shown a long time after the login attempt. Usually it's several hours, and sometimes it can be even several days. This misses the point of the notification. To be useful it's supposed to arrive after several seconds and not several hours. Sometimes I type my password incorrectly by mistake, and receive a notification after a long time. If I happen to remember that I mistyped the password, it's kind of OK, but it's not so robust. And when I don't remember if I mistyped it, I have to wonder: did I mistype it several days ago and forgot it, or was there an actual attempt to crack my account?

Other applications send such notifications instantly. Google and PayPal are obvious examples. They also show information the attempt, such as country and device brand. So it was an Android phone (which I own) from Israel (where I live), then it's less likely (though still possible) that it's a cracking attempt, and if it's a Windows device in Vietnam (this actually happened), then it may be a cracking attempt. I'm really, really not a security expert, but from the little I do know, these MediaWiki notifications are too slow and contain too little information to be really useful for security. Amir E. Aharoni {{🌎🌍🌏}} 09:19, 25 January 2021 (UTC)Reply

This says: The extension allows you to get an email when a user logs in successfully to your account from an unfamiliar device and IP.

What extension? It says it's on by default but doesn't tell me where to check. Like, are we talking Preferences>somewhere? On my home wiki, or somewhere global? It would be useful to explain this for those who like me are not as techincally oriented, thanks! Valereee (talk) 12:53, 22 February 2021 (UTC)Reply

I agree, take me off as well Bubbabray33 (talk) 09:16, 9 March 2021 (UTC)Reply

Foram detectados problemas com a sua sessão; Esta ação foi cancelada como medida de proteção contra a interceptação de sessões. Experimente usar o botão "Voltar" e atualizar a página de onde veio e tente novamente. 187.123.38.181 (talk) 13:32, 18 June 2021 (UTC)Reply

Alguem pode me informar porque minha conta foi cancelada 187.123.38.181 (talk) 13:35, 18 June 2021 (UTC)Reply

Didn't we use to get an email that indicated the IP address from which login attempts were made? That was a very useful thing that helped weed out LTAs. A page teaching me about passwords is of no use. Drmies (talk) 15:04, 3 August 2021 (UTC)Reply

Not a useful warning. Wikipedia should include or allow me to access enough information to assess what sort of attack it was. Let me offer three attack scenarios that I could distinguish between. (1) Trivial dictionary attack with nothing but my user name and some frequently used passwords. This would be especially harmless if it was part of a broad attack at many user names. (2) A targeted attack based on one of my actual passwords. This might be a highly personal phishing attack where some other system has been breached and that password is being tested against other systems I might be using. (3) The attack might be based on a breach of Wikipedia itself, where the password they are probing with is a partial match of my actual password. Obviously not a total breach, since that would have avoided any login failure, but perhaps something that allows them to guess highly likely passwords and the failures were incorrect confirmation attempts.

In addition to information about the nature of the login failures, something to help identify a successful breech would be helpful. Right now the only information that comes to mind would be a summary of my edits since the possible attack. I probably can't remember every edit I've made, but I almost surely could recognize weird patterns.

(Why did it MediaWiki apparently log me out? Was that a security thing? Anyway, I don't see any reason not to put my identity on this suggestive feedback (?).) Shanen (talk) 07:02, 25 December 2021 (UTC)Reply

... I prefer to refer people to the authority on the subject:

https://imgs.xkcd.com/comics/password_strength.png

There is no reason for 'requiring' those strange combinations of upper-case letters and numerals and symbols, just in the (mathematically incorrect) sense that they 'feel' more comfortable. Long passwords, by contrast, are far more secure, even if they are composed exclusively of dictionary words.

Information theory FTW! Gwyneth Llewelyn (talk) 14:22, 1 May 2024 (UTC)Reply

i just got a notification, i did not login into my account manually recently, but my app might have done it automatically. my password never leaked as far as i know, i use password manager and change it eventually without any consistency but might have done it in the past 3y or so, and i do not think someone else would even try to login, so i would really like to see the so proposed page with activities! any clues? Cregox (talk) 10:46, 13 August 2024 (UTC)Reply

Seems quite confusing that the triggered login notification (as a result of logging in for this election, or perhaps as a result of failing to login to another part of Wikipedia related to the election) refers to Meta. At first I thought it was related to a fake Facebook account in my name that the "big" Meta is unable to remove or block, but now I think your email has no reference to that Meta. So there is no problem? I hope. But I still think your security email should not create confusion by saying it is from Meta. Shanen (talk) 16:23, 13 September 2024 (UTC)Reply

Hi there. The software to tell you about login notifications uses the site's configured name ({{SITENAME}}), rather than a hand-configured message. There's a message for Meta's name, which is project-localized-name-metawiki, which displays as "Meta-Wiki" which is less likely to be confused with Meta the company, certainly.

If you think that the Meta community should rename their configured wiki name (e.g. to "Meta-Wiki", like the message), I think that's a reasonable request, but that should be a determination for that community, not the developers, so it'd be best raised at Meta:Babel. Jdforrester (WMF) (talk) 18:43, 13 September 2024 (UTC)Reply

Thanks and sorry I didn't notice your reply earlier--but I mostly don't care about Wikipedia these years. Certainly not enough to pursue the resolution of such a minor confusion.

(Like the confusion about my logged out status. It handled it correctly anyway. I was able to log in without losing the draft.) Shanen (talk) 17:00, 26 October 2024 (UTC)Reply

My username and password are correct, but unfortunately I have a new PC - therefor I cannot login anymore. All the new passwords (logons) I receive, cannot give me a logon. I've tried so many times and different ways with out success ;-(

Regards Svend ~2025-38389-38 (talk) 11:05, 4 December 2025 (UTC)Reply