Wikipedia:Village pump (proposals)/Account security

We could easily add a notice summarizing how to pick a stronger password. It would not be as long as this article, but could present similar information.

Comments

• Special:UserLogin already says, “If your password only contains letters or only numbers, please read our article on password strength and consider changing it (in Special:Preferences after you log in).” ― A. di M.​_plé​^dréachtaí 12:23, 3 June 2011 (UTC)[reply]
• Support including more hints, examples, notice. For many users clue has to be administered much more aggressively. Also support "password strength bar". —  
  TALK 16:24, 3 June 2011 (UTC)[reply
  ]

  Th@t s0unds g00d (That sounds good) ~~EBE123~~ ^talk_Contribs 22:10, 3 June 2011 (UTC)[reply]

• How about an article in The Signpost? ~~EBE123~~ ^talk_Contribs 22:10, 3 June 2011 (UTC)[reply]
• There already is a note on the signup page, and in general, more text == less reading by noob users. —TheDJ (talk • contribs) 23:14, 3 June 2011 (UTC)[reply]
• Yet another thing for new users to ignore? Doesn't sound like a good idea to me. --Carnildo (talk) 23:40, 3 June 2011 (UTC)[reply]
• If we have a bar showing password strength (the section above this one), it wouldn't make sense without a message explaining what it is. ▫ JohnnyMrNinja 14:52, 4 June 2011 (UTC)[reply]
• Support The Helpful One 22:32, 5 June 2011 (UTC)[reply]
• Not sure. At signup, password strength isn't a big deal (new accounts are low value), and bothering users with password strength may put some off. I'd prefer to auto-check password strength when users reach a certain threshold (say, 100 edits), and then notify them if the strength is not high enough, with a suggestion to improve it by checking against an indicator. (It could be done by the Special/login page, when they login next time after their 100th edit.) That said, a simple password strength bar, with a link to an explanatory page, wouldn't be too offputting, hopefully. Rd232 ^talk 22:50, 5 June 2011 (UTC)[reply]
• I'm okay with this, but I really don't think that it's such a big deal. Most accounts are throwaway accounts: the user will make a few edits, and then go away. I don't object to giving them more information (an unobtrusive indicator), but I wouldn't make any new account use any password more complicated than "password" itself. Brand new accounts have almost zero value. WhatamIdoing (talk) 00:56, 10 June 2011 (UTC)[reply]
• It should be pointed out that the note about password strength that links to our article on the subject is only linked from the login page, not the signup page. I would Support adding a note about it to the signup page as well. If the password strength bar is approved, the note should be next to that, otherwise it probably should be placed next to the password input fields. jcgoble3 (talk) 17:24, 15 June 2011 (UTC)[reply]

We're worried about bothering newcomers with password issues - and new accounts' value is very low anyway. So why not wait til accounts reach, say 100, 500, or 1000 edits and then automatically test the password strength, and then notify them if it's not acceptable. It could be done by the Special/login page, when they login next time after their 100th edit, simply showing the password strength indicator analysis of their current password, with a brief note. This ought to gain most of the security benefits, without the downside. Alternatively, don't bother testing, just automatically send an email after the 100th edit saying "well done for contributing 100 edits, would you like to check your password strength against the indicator _here_"? Rd232 ^talk 17:28, 5 June 2011 (UTC)[reply]

• Support - increases awareness and a gradual rate. Regards,
  talk) 02:38, 23 June 2011 (UTC)[reply
  ]
• Support There's enough things to worry about when starting, dealing with a strong password isn't one of them. Waiting until 100 or even 500 edits isn't going to be a problem.--SPhilbrickT 00:15, 26 June 2011 (UTC)[reply]
• Support It sounds like this would help security and I don't see the downside. AndrewRT(Talk) 21:28, 3 July 2011 (UTC)[reply]
• Oppose, give the feel that anybody at WMF/WP could read the PWs and send mails. I'm not really sure if this is technical possible since Mediawiki using/should use salt. So there have to be saved somewhere HOW secure the pw is. Also I don't think it is good to motivate the users even more how much (useless?) posts they have done (
  WP:EDITCOUNT). mabdul 22:23, 3 July 2011 (UTC)[reply
  ]
• Oppose, per Mabdul. --Nuujinn (talk) 22:27, 3 July 2011 (UTC)[reply]

Although Wikipedia currently allows email validation, but this is not not required in any capacity. Many websites require this before setting up an account, or before making changes to the account. This does not mean that users would need to be contacted by other editors, but rather by the MediaWiki software itself. Currently any automated messages or warnings like those mentioned above would only reach editors who both submitted an email address and still retain access to that account. This could be implemented as a strong suggestion for all users, as a requirement for user privileges, or even for starting an account.

Comments

Although I would personally support this, it will in part implede the WP's "anyone can edit" statement. So this should definitely not be required to create an account. Considering how many notices and warning we already have, I'm sceptical of requiring e-mail address just so more notices can be sent (as per proposals above). If anything, I would be discouraged to submit my e-mail. I a user just doesn't get a clue or care, no amount of e-mails will fix that. —  

• Given that most websites ask for it already, I think that we should require that a user submit an email address upon registering. However, we should create a new option like "Allow others to send me email" or "Allow Wikipedia to send me system messages" or whatnot, so people who forget their passwords can still get a new one via email, but if they don't want to get email from other users, they don't have to. /ƒETCHCOMMS/ 16:59, 3 June 2011 (UTC)[reply]
  • Nobody say that you aren't able to edit as IP (so not logged-in), thus this argument isn't valid! mabdul 17:08, 3 June 2011 (UTC)[reply]
    • By no means should this be a requirement to edit, but it seems reasonable for account creation, and certainly for user rights. Unless it is possible that anyone who is using the internet enough to register an account would not have an email account. This would ensure that we can actually deliver warning messages. There is already a preferences setting to allow other users to email you. ▫ JohnnyMrNinja 17:26, 3 June 2011 (UTC)[reply]
      • I recently heard from a user, that he doesn't have an e-mail account. Armbrust ^{Talk to me} _Contribs 00:42, 4 June 2011 (UTC)[reply]
        • I know some users don't have emails, but the number of those without them are very small now, I'm guessing (anyone got data on this?), and as IPs can edit, the inconvenience would likely be minor. What would be ideal is an in-MediaWiki private messaging system, but that's for another discussion. /ƒETCHCOMMS/ 01:43, 4 June 2011 (UTC)[reply]
• Support, but let's start with accounts with extended user right and admins and see how it goes. --Nuujinn (talk) 23:54, 3 June 2011 (UTC)[reply]
• Support, Nuujinn proposal is good!. mabdul 08:31, 4 June 2011 (UTC)[reply]
• Support A means of verification would be a welcome change. —
  Talk • Contribs) • 10:24pm • 12:24, 4 June 2011 (UTC)[reply
  ]
• Support (to be clear I added this heading to the RfC) - I just realized our sign-in says "You do not have to provide an e-mail address, but if you forget your password, you will not be able to regain access to your account without one." This is likely the reason that we have so many abandoned accounts. How many are just duplicates the owners lost the keys to? This will also likely decrease the number of vandalism-only accounts. I think it should be required for all new users and any accounts with rights, and heavily suggested for regular editors. This is not only an issue for WP security (as most accounts aren't very valuable to us), but also to help protect the individual accounts (which could very-well be valuable to someone). ▫ JohnnyMrNinja 15:43, 4 June 2011 (UTC)[reply]
  • Does this mean we then get into the business of blocking every temporary email account service out there? While it seems like a pretty painless good idea for reducing account abandonment slightly, I'm not sure this would have much of an impact on vandalism. Nevard (talk) 02:40, 5 June 2011 (UTC)[reply]
    • You may be right and it may have very little impact on vandalism, and I certainly don't think we should disallow any email service for any reason. I simply meant that it creates another hoop for a vandal wishing to remain anonymous, as they would have to create a fake email and then create a fake editor and then create the page "Steve Eats Poo". That is a very specific type of vandalism and likely not a major type, and that is not why I support this idea but rather a possible small benefit of it. Also I don't suggest using the email in any punitive fashion (though I assume CUs can see what accounts have the same address), just that vandals are less likely to commit vandalism knowing that they gave their real email address. ▫ JohnnyMrNinja 04:11, 5 June 2011 (UTC)[reply]
      • Ah, I was referring more to
        Disposable e-mail address services than webmail accounts. Nevard (talk) 06:09, 5 June 2011 (UTC)[reply
        ]
      • AFAIK, CUs don't have the ability to see users' email address. Even if they did, we don't usually do CU on routine vandals unless there's an obvious pattern. Mr.Z-man 17:47, 5 June 2011 (UTC)[reply]
• Weak oppose - Sometimes when a website asks for my email, I immediately abort creating an account. We need to encourage as many ip users as possible to create accounts. We don't even require sysops to configure an email account.
  Qwertyus 00:59, 6 June 2011 (UTC)[reply
  ]
• Oppose per Marcus Qwertyus. For a different wiki with a different culture (e.g., one that requires registration to edit), this could be a good idea, but here I think it will be counterproductive. --RL0919 (talk) 15:42, 8 June 2011 (UTC)[reply]
• Oppose for registered users. An extra hurdle which isn't necessary at that point. Suggestion: One thought occurs - what about using a carrot instead of a stick? Could we give brand new users some slight advantage if they provide a verified email address? Perhaps reduce the auto-confirmed threshold from 4 days to 3? (Or perhaps better, up the standard to 5, and lower it to 4 for those who provide them.) Rd232 ^talk 19:32, 8 June 2011 (UTC)[reply]
• Support new accounts having to register a verified email address. Nearly everyone who connects to the Internet has an email address. There are plenty of security benefits (and potential communication benefits) to this being registered with Wikipedia. Simple. ╟─TreasuryTag►Counsellor of State─╢ 09:12, 9 June 2011 (UTC)[reply]
• Oppose. Wikipedia already has a very clannish editor community. Impeding the ability of new users to register by requiring a verified email address would further exacerbate that problem. We need to make it easier to allow new editors to become established, not harder. elektrikSHOOS 20:53, 9 June 2011 (UTC)[reply]
• Oppose Off-putting to new editors and irritating to people worried about spam. Fear of spam is a huge deterrent to many people. Besides, we'll just end up with hundreds of accounts whose verified e-mail address is [email protected] WhatamIdoing (talk) 01:06, 10 June 2011 (UTC)[reply]
• Oppose I consider myself an established user yet until now I'm still not confirming my e-mail. There should be no need for this. And being able to be communicated with through e-mail should be the editor's choice. Moray An Par (talk) 12:18, 11 June 2011 (UTC)[reply]
  • There is a setting to turn off email communication with other editors, allowing you to provide an email address purely for purposes like password resetting. Rd232 ^talk 13:56, 11 June 2011 (UTC)[reply]

• Comment - I don't care so much about existing accounts, but not requiring an email account could be one of the reasons we have almost 2x the number of unused account as used. Almost
  WP:SUL, but still. Make an account at Wikipedia, forget your password, and it's gone forever. ▫ JohnnyMrNinja 04:13, 13 June 2011 (UTC)[reply
  ]

it could be, but I think the absence of any strong desire to actually contribute is the more likely reason. DGG ( talk ) 21:20, 14 June 2011 (UTC)[reply]

• Strong Support It's common bleeping sense. Practically every site out there now requires an email address; why not Wikimedia sites? As JohnnyMrNinja pointed out, it would help reduce the number of accounts that are created and abandoned because the password is forgotten. I would also support a modification to the blocking mechanism so that autoblocks would affect the user's email address in the same way they would affect the IP, except that an autoblock affecting an email would last until the main block expires or is lifted rather than just 24 hours. This, I'm guessing, would help cut down on socking. jcgoble3 (talk) 17:37, 15 June 2011 (UTC)[reply]
• NO. Simply put, I don't think I would have created an account if an email was required. I'm cautious about giving my email to websites, and when I signed up I was just going to make a few edits (it obviously turned out to be a lot more than a few, but I may not have made any of them if an email was required). Further, just asking for an email is one thing, but if you then did the whole "send-email-with-code-you-need-to-enter-code-before-starting-to-edit" thing, it would be a major hassle. Why make it noticably easier to edit as an anonymous user? Don't we want people to create accounts? –
  T • C • L) 15:57, 17 June 2011 (UTC)[reply
  ]

  I totally agree with your position. Requiring e-mail addresses will just be an extra hassle and may discourage new editors. Moray An Par (talk) 12:55, 19 June 2011 (UTC)[reply]

• Oppose - Unnessesary, no benefits. Add to email spam etc. Regards,
  talk) 02:39, 23 June 2011 (UTC)[reply
  ]
• Not helpful I think. Stifle (talk)
• Oppose Unnecessary hassle, will not provide more then a minimal amount of extra security, at the expense of annoying new users. Monty₈₄₅ 16:09, 5 July 2011 (UTC)[reply]

• Comment: how about limiting
  autoconfirmed privileges to those who have provided a verified email address? That ought to be relatively easy, and avoids the obvious complaint about putting people off editing. There is a "Enable e-mail from other users" option, so doing this wouldn't force anyone to accept email from other users, only from the software under limited conditions (eg password reset). Perhaps would need combining with some kind of automatic notice when the other conditions are met but no email address has been given: "if you now provide an email address, you'll be able to move pages and gain some other privileges" sort of thing. Rd232 ^talk 17:05, 5 June 2011 (UTC)[reply
  ]
  • That could cause a serious problem though, as autoconfirmed is automatic. They would either have to stop editing or we would have to change what an autoconfirmed user is. ▫ JohnnyMrNinja 17:21, 5 June 2011 (UTC)[reply]
    • I'm assuming the software would be changed so it would still be automatic, but dependent on the existence of a verified email address. And failure wouldn't mean they couldn't edit, it would mean not getting the autoconfirmed privileges. Rd232 ^talk 18:00, 5 June 2011 (UTC)[reply]
      • If it's technically achievable within mediawiki, I think this is a good approach. bobrayner (talk) 00:46, 6 June 2011 (UTC)[reply]

• Oppose We don't need to have an e-mail address for a person to let them move pages, send articles to AFD, or do any of the many autoconfirmed-only activities. WhatamIdoing (talk) 01:06, 10 June 2011 (UTC)[reply]
  • We don't need to have an autoconfirmed threshold for moving pages etc either; but for various reasons it's a good idea. Similarly, there are various security and communication benefits for users providing an email address. Forcing them immediately (as per section above) would be bad, but requiring an address for those higher privileges is a pretty minimal requirement, and anyone that doesn't want can edit without. Alternatively, we could remove the "stick" element entirely and change it to carrot: eg, "give us a verified email address, and you can be autoconfirmed more quickly" (which would work best with raising the current threshold, since it's there for a reason). So maybe autoconfirmed no email address: 5 days, 15 edits; with email address, as status quo. Rd232 ^talk 14:02, 11 June 2011 (UTC)[reply]
• Oppose per my comments both in the above section, and per WhatamIdoing's comment. elektrikSHOOS 20:37, 19 June 2011 (UTC)[reply]
• Oppose This would represent a shift away from the concept of pseudonymous editing which the internet was largely based on a few years more closely towards the facebook-style real name editing. I know this is the way the internet is moving, but I worry that we may lose something in this change, particularly when people are editing on contentious areas they might not want their employers, for instance, to know about. AndrewRT(Talk) 21:32, 3 July 2011 (UTC)[reply]
  • What? This has no effect on pseudonymous editing whatsoever. A user with a verified email account doesn't need to make that public in any way, or even enable receiving emails from other editors. It's purely behind-the-scenes for notifications and password resets, and not even (AFAIK) accessible by checkusers etc.
    talk 22:09, 3 July 2011 (UTC)[reply
    ]

• Support. This is required for various of the other security measures about email notification to be really effective. Rd232 ^talk 19:24, 8 June 2011 (UTC)[reply]
• Oppose. Given the stringent requirements already imposed by the community to achieve these positions, I don't see how requiring a verified email address would help anything at all. Why would this even be necessary? What is this preventing? This is a solution in search of a problem. elektrikSHOOS 20:35, 19 June 2011 (UTC)[reply]
• Support, aids ability to communicate, it situation that it looks like account comprimised for one. Part of being a responsible admin. Regards,
  talk) 02:43, 23 June 2011 (UTC)[reply
  ]
• Support I have long supported this. It's pretty basic, for anyone who is in a position of authority. Anonymity is one thing, but people whom we are not even minimally sure have some real existence is another. Its a very weak standard, of course, but it's a first step towards proper responsibility. DGG ( talk ) 20:28, 28 June 2011 (UTC)[reply]
• Well, support, but not for any security purposes, more because sysops should be accessible. Stifle (talk) 14:36, 1 July 2011 (UTC)[reply]
• Support In contrast to my comments in the section above, I think trusted users like admins should be accessible and their identities known and verifiable (not to the wide world but to some). AndrewRT(Talk) 21:34, 3 July 2011 (UTC)[reply]
• Comment While I think admins should have an working email that they check associated with their account, it is trivial to register a free email account that does nothing to identify the user unless they happen to use an email address with personally identifiable information in a context that indicates it is not another alias. Monty₈₄₅ 16:07, 5 July 2011 (UTC)[reply]

Email accounts often become stale or go dead, but Wikipedia's email verification takes no account of this. So, on annual basis, some mechanism should ensure reverification of the email address. The email message asking for this will also be a reminder for those who have lost touch that they once edited and still have an account. Ideally, an email message would be preceded by some attempt to re-verify via an onwiki message ("is this email address still correct?"), and success would obviate the need for an email. But that would probably be considerably more complex to implement. An annual email message is pretty straightforward; and supplementing by an automatic user talk posting if there's no response within a set time ought to be straightforward too. Well, there are various ways of doing it, let's not get hung up on the how just yet. PS Benefits of this right now are limited to ensuring users don't lose the ability to reset their password, and that user-to-user emails to them don't go into a black hole; but various security measures proposed do depend on current email addresses. Rd232 ^talk 20:05, 8 June 2011 (UTC)[reply]

Comments

Comment - Technically how would you do this? You'd send a reconfirmation email. What if they didn't get it? Nothing, becuase many would get it and not act. So would you close accounts on those that didn't renew? I doubt that would be sensible. So I think this idea would become unworkable. Regards,

• • The reconfirmation email would have a clickable link, same as the current email sent to verify an email address. If the user doesn't click the link within a certain time frame, the "verified" status of the email address is removed. That's the basic idea; what exactly you make dependent on having a verified email address is a separate issue. I'd suggest admin and higher rights should be suspended if there isn't one; maybe lower rights too (rollback etc, but not autoconfirmed or even editing). Currently, I think it's just email access (send/receive) which depends on having a verified address. PS stating the obvious, but if an address is "unverified", there won't be any more reconfirmation attempts in future, so that people who don't want to bother don't have to.
    talk 20:14, 1 July 2011 (UTC)[reply
    ]
• Not support. Most email providers which are used: GMail, Yahoo!, MSN, aol, live.com ... and was it nearly. see stats at the account creator tool. I doubt that any of them will be closed. So this would care only a really small minority. mabdul 18:28, 1 July 2011 (UTC)[reply]
  • It may be that many of these accounts don't die, but people do stop using them (for one thing, people die), and therefore future emails to them are lost in the ether; unverifying email addresses would prevent people sending emails to people who probably won't get them. More importantly, some of the security measures proposed in this RFC depend on people (at least admins) having currently being read email addresses listed. In addition, an annual reminder might bring a few editors back.
    talk 20:14, 1 July 2011 (UTC)[reply
    ]
    • That doesn't make sense! If a user lost his password he will can check his ORPHANED mail account (because he uses always the same password) and get access to his wikipedia account. The easiest way posting the template "you've got a mail" template and then the mailed user checks either the mail address(in the prefs) or his mail account to get the mail. Also: what has this to do with increasing security? With/out/removed a verified mail address there is no win of security. mabdul 22:00, 5 July 2011 (UTC)[reply]

First proposed here, an email could be sent to a user if his/her account began editing after a certain period of inactivity (several months, a year, etc.). This would welcome back users, but also let them know if someone else is accessing their account.

Comments

• Goes hand in hand with the proposal just above. This is a good idea, and should definitely be enabled. It should be a simple "Welcome back to Wikipedia!" note, and not a "You were sure gone a while... so you're probably a hacker." Also, the amount of good this will do will be limited to the number of editors that attach email accounts. ▫ JohnnyMrNinja 12:32, 3 June 2011 (UTC)[reply]
  • I don't think this should be something that can be opted out of or set to a user-defined length. This is people planning for the times that they will not be here, which doesn't make sense. I can't imagine a scenario where user-defined settings for this would be desirable. There is no way that having it on would genuinely upset any editor, as the email would be so infrequent, and it would welcome them, which is a good thing. "Every time I take a break from Wikipedia for three months or more they send me an email saying 'Welcome back!" upon my return and it is driving me crazy!!!!!" If they could change the length manually, what would they set it for and why? If you take month-long vacations, would you set it for 1 month, or 2, or three weeks? It'd be arbitrary. I know wiki editors like control, but user-control is not desirable for this feature and should not be implemented. ▫ JohnnyMrNinja 17:35, 5 June 2011 (UTC)[reply]
• Support, very good idea, but I would suggest only doing this for editors with 1000+ edits and admins initially. Since IPs can edit freely, seems of limited value to accounts that are seldom used. --Nuujinn (talk) 23:39, 3 June 2011 (UTC)[reply]
• Support, 1000+ as Nuujinn described. mabdul 15:20, 4 June 2011 (UTC)[reply]
• Support for 1000+ edits. The "Welcome" email could contain suggested links to review policy and editing, too. Mamyles (talk) 23:02, 4 June 2011 (UTC)[reply]
• Support - was my idea :). 1000+ seems a fair threshold. Note that my proposal originally included the point that the facility and the time period would be adjustable in the user's preferences; I guess this is taken as read. Also it should be on by default. Rd232 ^talk 17:17, 5 June 2011 (UTC)[reply]
  • Though JohnnyMrNinja makes a fair point that adjustability isn't strictly necessary - at least if the time period is long enough (3 months+ perhaps). The reason I was suggesting adjustability is that I was thinking some users might set it considerably lower - like a week. Since the security benefits are particularly from a small number of highly active users, adjustability helps maximise those benefits. Rd232 ^talk 18:47, 5 June 2011 (UTC)[reply]
• Support - 1000+ edits, admins, but not users that aren't auto-confirmed - waste of resources. The Helpful One 22:35, 5 June 2011 (UTC)[reply]
• Support; I can't think of a reasonable downside. 1000 edits seems slightly high to me - I'd prefer 100 or so - but I could live with it. bobrayner (talk) 00:41, 6 June 2011 (UTC)[reply]
  • Well, someone actually implementing this would probably conclude that the edit threshold is best left up to the user, along with the time threshold. Default values could actually probably be lower than the 1000 we've been talking about; most users don't get up to 1000 very quickly, if at all. So default could be perhaps 100 edits and 3 months. Rd232 ^talk 19:48, 8 June 2011 (UTC)[reply]
• Support 1000+ prior edits and a long break (or even sending it on the second renewed edit) might be a reasonable starting point, but if this gets people to come back more often, I'd be happy to have those thresholds decline to whatever point is likely to win us more editors. Happy, welcoming messages only, and I'd be happy to see the message suggest either articles that they might be interested in, or simple edits that they might like to help out with (perhaps rotating through things like stub sorting, common spelling errors, orphaned articles, or things like that). Prefs could have an opt-out box. WhatamIdoing (talk) 01:14, 10 June 2011 (UTC)[reply]
• Support. עוד מישהו Od Mishehu 08:18, 20 June 2011 (UTC)[reply]
• Support. I can see no risks with this. The email should basically just welcome users back, but should end with instructions what to do if one did not actually log into the account. Hans Adler 09:43, 21 June 2011 (UTC)[reply]
• Support This looks like a very good idea, but I agree with others that this should probably only be implemented for users with quite a few edits. Captain panda 15:57, 28 June 2011 (UTC)[reply]

Currently, an email is only set to an email address when it is added to preferences - in order to verify access to that account. This means that a hijacker can remove or replace a verified email address without the owner being aware of it. So when an email address is removed or replaced, an email should be sent to the old address (if it was verified) simply notifying the owner [the verification code email would be sent to the new email address, if one has been provided - after all it's the new address being verified]. This shouldn't happen so often as to be an annoyance issue, and it's a significant security benefit. (Of course, that doesn't apply if the address is dead or unused, but you can't have everything. And the "desysopping if inactive" proposal at VPR covers a lot of the most important part of that ground.) Rd232 ^talk 17:56, 5 June 2011 (UTC)[reply]

• Comment: Only a information or plus a new "verification" code? I'm not a fan of sending new verification codes (to old mail-addresses) since I was multiple times in the situation that my free mail vendor(s) shut down. mabdul 18:35, 5 June 2011 (UTC)[reply]
  • Only notification. I don't see the point of sending a verification link to the old address in addition to the new one. The only value I could see might be in sending a link in the notification which would allow a reinstatement of the old address, overriding the removal even after verification of the new address. The link would be active for a limited time (1 week?) and would allow a hijacked user to regain access by reinstating the old email address and then asking for a password reset. Rd232 ^talk 18:40, 5 June 2011 (UTC)[reply]
• Support. Reasonable measure to detect some (not all) forms of account compromise, at minimal cost. Forget about using it for verification - the average person on the internet has a certain amount of inertia over email accounts, and changes tend to be a "distress purchase" - because the user can't remember their Hotmail password or they just lost their job, so expecting verification via the old account simply won't work. bobrayner (talk) 00:50, 6 June 2011 (UTC)[reply]
• This is a good idea; no verification codes, though (the main reason I foresee someone changing their email is because they lost access to the old one!). /ƒETCHCOMMS/ 16:09, 6 June 2011 (UTC)[reply]

• Support, very good idea. I wonder if a confirmation email for any change in prefs might be worthwhile. I use a couple of web sites that do this. --Nuujinn (talk) 22:50, 6 June 2011 (UTC)[reply]
  • What other preferences would be worth the bother on Wikipedia? I can see it being an issue on Facebook say, where somebody could change privacy settings. Rd232 ^talk 23:00, 6 June 2011 (UTC)[reply]
    • I'm thinking of it as a string on a tin can--if someone does gain access to my account, let's say, and changes any pref, I'd know someone was mucking about (since I only rarely change prefs). --Nuujinn (talk) 22:11, 7 June 2011 (UTC)[reply]
      • Well, OK, I see. The only thing is that the proposal as stands (notifying on email change) doesn't require any per-user configuration; this won't happen often enough to need turning off. Your version would need a preference option to turn it off, besides needing to monitor all preference options and provide an additional sensible message. I wouldn't oppose it, but given the severe limitations on developer time, I wouldn't prioritise it very highly. Rd232 ^talk 15:39, 8 June 2011 (UTC)[reply]
• Support for notification (but not verification). A reasonable way to alert users if something fishy has happened with their account, and totally harmless if the change was intentional. --RL0919 (talk) 15:33, 8 June 2011 (UTC)[reply]
• Support users are unlikely to change their email addresses frequently so this should not annoy users. If their is an option to turn this off the user should also be notified of this change. MorganKevinJ^(talk) 18:22, 8 June 2011 (UTC)[reply]
• Support per above. Simple and reasonable way for users to be told when something has happened that they should be aware of. jcgoble3 (talk) 17:46, 15 June 2011 (UTC)[reply]
• Support as notification only, or even as notification+an opertunity for cancelation; it should not be used for verification, as such a change may e the result of an already discontinued e-mail address. עוד מישהו Od Mishehu 08:20, 20 June 2011 (UTC)[reply]
• Support. Of course the old address cannot be used for verification as it will often be no longer under control of the user. I am also not sure that it should have any code that permits getting control of the account, as the email address may well be under control of someone else. (E.g. email provider shuts down, domain gets sold, and new domain owner sells all such notifications to spammers.) Hans Adler 09:51, 21 June 2011 (UTC)[reply]

The proliferation of passwords is already a fairly enormous problem. What are the technical barriers to enabling openID on the Wiki, so that people don't need to log in? Stackexchange and Mathoverflow use such a login mechanism, and it's both easy and makes security somebody else's problem (in this case, the openID provider's). Ray^Talk 10:41, 22 June 2011 (UTC)[reply]

That was suggested by the people who did the password study, I think, but I'm not familiar with how that would be implemented (would they still have to create a separate WP account, which would be logged?), and heaven knows how weak some people's MySpace passwords are. /ƒETCHCOMMS/ 04:55, 24 June 2011 (UTC)[reply]

Comment. Yes, do it do it do it. OpenID is awesome. —Tom Morris (talk) 09:10, 27 June 2011 (UTC)[reply]

• I think this would be a really positive step towards integrating the Wikimedia usebase with other free content communities out there and, of course, making things easier for our editors. However, I haven't a clue how hard it would be to do in practice. AndrewRT(Talk) 21:27, 3 July 2011 (UTC)[reply]
• Making security someone else's problem doesn't necessarily improve security. One could argue that adding more places to log in to could only decrease security, by adding attack vectors. Mr.Z-man 22:26, 5 July 2011 (UTC)[reply]