Password and 2FA reset
This document offers guidance when a Wikimedia user loses access to their account and can't login.
Wikimedia account password reset
A user can't login if two conditions are met:
- they have a blank or incorrect email address;
- they have forgotten their password.
In such a case, there is a need to avoid social engineering: it's necessary to ensure that the user making the request has a legitimate claim to the user account in question. A good point to check is if the requester's e-mail address can be legitimately linked with the user.
For users
Before requesting a password reset from an administrator, try to self-reset the password. This can be done via Special:PasswordReset form. If that doesn't work for you and you are a Wikitech user and:
- you need your password to be reset, or
- you need your two-factor authentication to be disabled
You need to open a new phabricator task adding cloud-services-team
and Trust-and-Safety
as Tags.
Be prepared to answer questions to validate your identity. Often the easiest verification method is to show that you still have control of the ssh private key associated with your Developer account. This can be done by creating a text file as your Developer account on a Cloud VPS or Toolforge bastion server which references the Phabricator task you created:
$ ssh bastion.wmcloud.org # or `ssh login.toolforge.org`
$ cd $HOME
$ touch 2fa-reset-request.txt
$ chmod 0600 2fa-reset-request.txt
$ echo "https://phabricator.wikimedia.org/[YOUR PHABRICATOR TASK NUMBER]" > 2fa-reset-request.txt
$ echo "$(hostname -f):$(pwd)/2fa-reset-request.txt"
Then make a comment on the Phabricator task including the output of the last command so that the person who helps you can find the verification file easily.
For admins
Ensure the request is legitimate
Make sure the request is legit. This part is covered at Password reset/Confirming identities.
Especially, someone from Trust & Safety should be notified of the password reset. It might also be a good idea to pass things to them if there are not enough elements to confirm the identity.
Technical procedure to follow
- On a maintenance server, run
mwscript resetUserEmail.php --wiki=<user's home wiki> <username> <new email>
- In your browser, go to Special:PasswordReset on the user's main wiki.
- Type in the user's name, leave the e-mail address blank and click "Reset password".
- Ask the requester to check their inbox to ensure that the password reset email was received.
Notes:
- The home wiki shouldn't matter much.
- MediaWiki usernames can contain UTF-8 characters. If you have difficulty using them on the terminal, you can instead use the user id prefixed with #.
Old instructions in case something goes wrong |
---|
On CentralAuth wikis, the eval.php script has the effect of updating the globaluser table (gu_email and gu_email_authenticated) and then clearing the relevant memcached key. |
Two-factor authentication removal
Before following these steps, if the user has an existing device available that has worked with 2FA in the past but has suddenly ceased working, ensure the user's 2FA device has an accurate clock. The clue is in the name of the 2FA method we use - Time-based One-time Password Algorithm - if the clock on the device is too far off, it will generate the wrong codes. Even a two minute difference can cause this.
Wikimedia two factor authentication removal
Be careful! This process is highly vulnerable to social-engineering attacks. Don't reset things just because a user asked you on IRC or via email. Before resetting someone's login, be sure to confirm their identity:
- If you recognize them, have a face-to-face meeting or one in a video chat.
- If someone on WMF staff recognizes them, have a three-way video chat where a staffmember vouches.
For SUL (Wikipedia etc.) 2FA, determine a wiki on which the user exists locally (i.e. has contributions), and then run the script on a maintenance server using that wiki:
mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=<wiki> <username>
Privileged user groups may also use Special:DisableOATHForUser to remove 2FA from any user account. Its use is logged at Special:Log/oath. This requires the oathauth-disable-for-user right. On Wikimedia Foundation production wikis members of the Staff and System administrator global groups, and WMF Trust and Safety local Meta-Wiki group have it.
The user can then log in using just their password and re-add two factor authentication.
Phabricator two factor authentication removal
- Requesting a 2FA reset for a Phabricator account: mw:Phabricator/Help/Two-factor Authentication Resets
- Performing a reset as a Phabricator admin with shell access: Phabricator#Removing Two Factor Authentication
Reset user password in LDAP
To reset a user password in LDAP (wikitech wiki user), a root or member of admin group ldap-admins can:
- install the slappasswd utility locally (it's inside the slapd package)
- use slappasswd to hash a new password (SSHA password)
- ssh to an mwmaint server (ssh mwmaint1002)
- run
sudo modify-ldap-user <username>
(replace<username>
with the actual user) - paste the SSHA password hash line and :wq
- when logging in ensure the exact spelling is used, capitalization matters and not just the first letter either