Reset lost credentials

From Meta
Jump to navigation Jump to search
Other languages:
English • ‎日本語

Reset lost credentials

This page is a help page, and is not a policy or guideline. Please use this page to help you around Miraheze's Wikis.


Technically, Miraheze system administrators (also known as staff) do not reset anyone's credentials on behalf of them. This is because staff fears that they are trapped in social engineering. As such, staff requires undeniable proof that the requesting user is indeed the authentic owner of the account before we can do the reset. In general, we don't do a password reset, if you don't have email configured and lost a password, consider that account gone. Everything is case-by-case and done at the discretion of the staff.

We know you

If we are sufficiently sure that requesting person is authentic user behind the claimed account, we may do the reset. This depends on the user, and how we got to know the user.

Committed identity

Committed identity is a secret hash. The contents are only known to the generating user until the hash is revealed to staff when you need to prove ownership.

Linked SignPost page is documenting enough that you can just follow.

  • Browse to text2hash.
  • Enter your 'secret'. It should be long enough (not just two-three words, not easy to guess, preferably have some random string (i.e. today's date). Hash is "SHA512" - leave it as is. If it is not SHA512, change to SHA512.
    • The string used in this help page is Miraheze Meta Test Committed Identity - 2018-02-25 - User:Blah_blah This is a committed identity.
  • text2hash will dynamically generate the hash. Copy the result.
    • In this example, hash is d9a6f981c04721d7dddd541175c97b24182bf550670819fb4a67444ba9710c751e0f2a8d8949de6a47c01bb9c19fc4fb70f3c5c89d22612ffc06fbc31bc7ecb0.
  • Paste your hash into your userpage.
    • In this example, do {{Committed identity| d9a6f981c04721d7dddd541175c97b24182bf550670819fb4a67444ba9710c751e0f2a8d8949de6a47c01bb9c19fc4fb70f3c5c89d22612ffc06fbc31bc7ecb0}}.
  • Now, close the tab and re-open it.
  • Verify the same original string and verify that the newly generated hash matches the hash in template.
  • IF, and ONLY IF the two hash matches, save it.

And when you need to prove your ownership, if staff asks, send an email to staff at miraheze{{.}}org with the string. If you are putting "" around it, tell us if we need to remove it when putting the hash.

GPG

If you have a Gnu Privacy Guard key with signing functions, you can use it to prove your ownership.

  1. Create a GnuPG key. This is not explained in this help page. Debian has a great how-to page for this. Just make sure your key doesn't expire (When asked for Key is valid for? (0), just enter or give 0.)
  2. If you followed above example, you now have a GnuPG key. Now, when your key was created, gpg told you about Key fingerprint = . Paste that value somewhere. This is very important.
  3. Sign a statement (do Clearsign.) with "current date", statement "I, REPLACE_HERE_WITH_YOUR_USERNAME, controls the private key associated with this GnuPG key, and this key owner is authorized to perform a credential reset if signed request is sent to staff at miraheze{{.}}org." Example in User:Revi/ssh.
  4. Save the signature with the original text and the fingerprint on wiki. Wrap your comment with <pre></pre> otherwise MediaWiki formatting will mess up the GPG signature.
  5. When requested, send a signed email from the specified key to staff at miraheze{{.}}org to verify your identity.
  6. Your key must be available from pool.sks-keyservers.net pool, so we can verify your key independently. Verify that your key is available by checking against keyserver.ubuntu.com, pgp.mit.edu, and pgp.surfnet.nl. Your key should be accessible from all of three servers. (If your key is new, it may take time to synchronize the key between key servers. Try again after 24 hours.)

This requires understanding of how GPG key creation, signing, and keyserver works, and thus not recommended for newbies. This is an option for technically savvy users.