Reset lost credentials

From Miraheze Meta, Miraheze's central coordination wiki
(Redirected from Password reset)

Reset lost credentials

This page is a help page, and is not a policy or guideline. Please use this page to help you around Miraheze's Wikis.

If you have an email attached to your account, you can reset your password at any time using Special:PasswordReset.

Technically, Miraheze Site Reliability Engineering (SRE) can reset credentials, such as passwords or 2-Factor Authentication records. However, policy-wise, they do not reset anyone's credentials on behalf of them. This is because of fear that they might be trapped in social engineering. As such, they require undeniable, math-based proof that the requesting user is indeed the authentic owner of the account before they can do the reset.

In general, they don't do a password reset. If you don't have email configured and lost your password, consider that account gone. Everything is case-by-case and done at the discretion of SRE.

SRE knows you

If SRE folks are sufficiently sure that the requesting person is the authentic user behind the claimed account, they may do the reset. This depends on the user, and how a member of SRE got to know the user.

Committed identity

Committed identity is a secret hash. The contents are only known to the generating user until the hash is revealed to SRE when you need to prove ownership.

Linked SignPost page is documenting enough that you can just follow.

  • Browse to text2hash.
  • Enter your 'secret'. It should be long enough (not just two-three words, not easy to guess, preferably have some random string (i.e. today's date). Hash is "SHA512" - leave it as is. If it is not SHA512, change to SHA512.
    • The string used in this help page is Miraheze Meta Test Committed Identity - 2018-02-25 - User:Blah_blah This is a committed identity.
  • text2hash will dynamically generate the hash. Copy the result.
    • In this example, hash is d9a6f981c04721d7dddd541175c97b24182bf550670819fb4a67444ba9710c751e0f2a8d8949de6a47c01bb9c19fc4fb70f3c5c89d22612ffc06fbc31bc7ecb0.
  • Paste your hash into your user page.
    • In this example, do {{Committed identity| d9a6f981c04721d7dddd541175c97b24182bf550670819fb4a67444ba9710c751e0f2a8d8949de6a47c01bb9c19fc4fb70f3c5c89d22612ffc06fbc31bc7ecb0}}.
  • Now, close the tab and re-open it.
  • Verify the same original string and verify that the newly generated hash matches the hash in the template.
  • IF, and ONLY IF the two hashes match, save it.

And when you need to prove your ownership, if SRE asks, send an email to sre(at)miraheze{{.}}org with the string. If you are putting "" around it, tell us if we need to remove it when putting the hash.

GPG

If you have a Gnu Privacy Guard key with signing functions, you can use it to prove your ownership.

  1. Create a GnuPG key. This is not explained in this help page. Debian has a great how-to page for this. Just make sure your key doesn't expire (When asked for Key is valid for? (0), just enter or give 0.)
  2. If you followed the above example, you now have a GnuPG key. Now, when your key was created, gpg told you about Key fingerprint = . Paste that value somewhere. This is very important.
  3. Sign a statement (do Clearsign.) with "current date", statement "I, REPLACE_HERE_WITH_YOUR_USERNAME, controls the private key associated with this GnuPG key, and this key owner is authorized to perform a credential reset if signed request is sent to sre(at)miraheze{{.}}org." Example in User:Revi/ssh.
  4. Save the signature with the original text and the fingerprint on wiki. Wrap your comment with <pre></pre> otherwise MediaWiki formatting will mess up the GPG signature.
  5. When requested, send a signed email from the specified key to sre(at)miraheze{{.}}org to verify your identity.
  6. Your key must be available from the pool.sks-keyservers.net pool, so we can verify your key independently. Verify that your key is available by checking against keyserver.ubuntu.com, pgp.mit.edu, and pgp.surfnet.nl. Your key should be accessible from all of the three servers. (If your key is new, it may take time to synchronize the key between key servers. Try again after 24 hours.)

This requires understanding of how GPG key creation, signing, and keyserver works, and thus not recommended for newbies. This is an option for technically savvy users.