Help talk:Reset password

	This page is within the scope of the Wikipedia Help Project, a collaborative effort to improve Wikipedia's help documentation for readers and contributors. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. To browse help related resources see the Help Menu or Help Directory. Or ask for help on your talk page and a volunteer will visit you there.Wikipedia HelpWikipedia:Help ProjectTemplate:Wikipedia Help ProjectHelp articles
Mid	This page has been rated as Mid-importance on the project's importance scale.

To help centralise discussions and keep related topics together, Wikipedia talk:Special:PasswordReset redirects here.

Redirect?

Help:Logging in#What if I forget the password? is a more correct description of Special:PasswordReset and the limits of its usefulness. My preference would be for Help:Reset password to redirect there; failing that, the description here should be corrected. -- John of Reading (talk) 07:44, 19 December 2012 (UTC)[reply]

I'd prefer having a separate page for this. Though there is that specific section, that page is fairly long. It includes things that you do well after logging in, such as setting preferences and changing user or user talk pages. When someone is already confused, it's ideal to point them to a concise page about their issue. However, I will add a {{main}} pointing to here. Superm401 - Talk 18:34, 23 December 2012 (UTC)[reply]

Tweaked password section

I tweaked it to make clear you can enter your email for this too. Also, I noted that you should enter only your email if you're not sure of the username (if you enter both it will only use the username). Superm401 - Talk 18:39, 23 December 2012 (UTC)[reply]

Password Limitations

It would be really helpful if this page had Wikipedia's password limitations. Important questions to answer include: minimum length, maximum length, and forbidden characters. Even better, is if this information is added to the Change password page used to modify passwords, and the password picking page for new users. BlackGriffen (talk) 08:20, 25 September 2015 (UTC)[reply]

Are old passwords invalidated by requesting a temporary one via Special:PasswordReset

If I use Special:PasswordReset does it invalidate my existing password? Or if I do manage to recover it will I be able to log in using my old password? I've lost access to my email address but foolishly tried Special:PasswordReset without thinking this issue through properly. 81.109.128.24 (talk) 17:26, 5 August 2020 (UTC)[reply]

The old password remains valid. -- John of Reading (talk) 18:58, 5 August 2020 (UTC)[reply]

@CapnZapp: I believe the last sentence of your edit is incorrect. -- John of Reading (talk) 10:43, 13 March 2021 (UTC)[reply]

Thank you. CapnZapp (talk) 11:13, 13 March 2021 (UTC)[reply]

I noticed that already nine years ago, you brought up the fact the password reset mechanism is discussed twice, both here and at Help:Logging in#What if I forget the password? However, that page does not mention the preference "Send password reset emails only when both email address and username are provided." It also claims "You then have to change the password to one of your choice after you log in." which contradicts this talk section. Finally, it was written before password managers became ubiquitous in browsers: I believe a much more common piece of advice than "If you have previously asked a Wikipedia tool such as AutoWikiBrowser to remember your password, and you still have access to the machine where the password is saved, then it may be possible to recover the saved password." would be something like "If you have previously logged into Wikipedia using a modern browser, chances are you have allowed that browser to remember the password. If it is a desktop browser, you can find out the password. If it is a mobile browser, you cannot find out the password, but you might still be able to log in."

This final scenario I'm unsure if it helps. I believe you cannot change the password without first entering the old password, and I think Wikipedia forces you to enter it manually (no autofill from stored passwords).

In any event, I would appreciate it if you were to update that section John of Reading (since you seem to know the specific details I don't). Cheers CapnZapp (talk) 11:30, 13 March 2021 (UTC)[reply]

@CapnZapp: I've made some edits to Help:Logging in; feel free to revert, reword etc as usual. And yes, those sections were written before that preference checkbox was added.

which contradicts this talk section - I don't think there's a contradiction. In this talk section, the OP is asking about logging in with the existing account password, which stays valid. Whereas at Help:Logging_in#What_if_I_forget_my_password?, the text is talking about logging in with the temporary system-generated password, which, I think, does have to be changed. -- John of Reading (talk) 13:17, 13 March 2021 (UTC)[reply]

Ah. If the following is the case, it could stand to be conveyed to the reader more clearly: "When you ask for a temporary password you don't have to use it, you can still use your old password. But if you do use it to log in, you now need to change it." Would you agree this is a correct understanding of how it works? Do note that at many other sites, asking for a password reset actually resets the password (so the old one no longer works, you have to use the temporary one). Of course, I fully understand that the system doesn't want to allow just anyone to reset somebody's password, so it's not that any of this should be interpreted as dissent. Cheers CapnZapp (talk) 14:00, 13 March 2021 (UTC)[reply]

@CapnZapp: When you ask...now need to change it - yes, this is my understanding of how it works. -- John of Reading (talk) 15:42, 13 March 2021 (UTC)[reply]

Why is Special:PasswordReset blocked for blocked IP ranges?

Tracked in Phabricator
Task T109909

A while back, I was trying to reset my account's password while using my mobile device. Apparently, the IP my mobile device was assigned was subject to a range block at the time for some reason (most likely due to a history of anonymous editors in the area causing disruption for various reasons). During this process, I found out that I was not able to access Special:PasswordReset since the IP my mobile device was assigned was blocked per the aforementioned range block. I mean, this is an inconvenience for legitimate editors trying to recover their accounts, but only have access to mobile devices at the time. (I don't even see this fact referenced anywhere on Wikipedia:Blocking policy.) So, I'm just curious: Why is Special:PasswordReset disabled for blocked IPs? Steel1943 (talk) 17:12, 18 April 2022 (UTC)[reply]

Per Xaosflux's findings here, this is apparently a known issue that was reported back in August 2015 ... but after almost 7 years hasn't been resolved yet. I have posted a link to the Phabricator ticket at the top of this section. Steel1943 (talk) 17:52, 18 April 2022 (UTC)[reply]
phab:T109909#2934299 seems to have an answer:
Some time ago checkusers and stewards went crazy when a prolific vandal started doing massive password resets from many IP addresses. And since the only activity that came from those ranges were those password resets, an anon-block only global or local rangeblock was enough to stop it. If this goes forward, there's again potential for abuse, unless there's a ratelimit of password resets an account can request, and such rate limit should be global (for all CentralAuth wikis).
— User:MarcoAurelio
The issue seems to be more of a "political" issue than a technical one (technically it's 100% feasible). My best guess is that such a discussion to change this would need to be held on Meta. —k6ka 🍁 (Talk · Contributions) 12:07, 25 April 2022 (UTC)[reply]
Thank you for the ping. That was years ago. Back then there was no option to block email for unregistered contributors, and if I remember rightly, no local or global rate limits for how many password resets you could request per IP and/or account per day (this all was pre-SUL finalisation and phab:T21227 was the request back then). If these safeguards exist today (apparently not?), the decision to allow password resets from blocked IP ranges without "block email" activated is a technical, not political one IMHO. Having an RfC to change this seems too much to me. Thanks, —MarcoAurelio (talk) 12:39, 25 April 2022 (UTC)[reply]
A bit late but I did some digging and was able to find phab:T8427, which seems to have been the response to the aforementioned abuse. House Blaster^talk 20:18, 28 August 2022 (UTC)[reply]

Guidance on password recovery with lost email address

Any objections or comments?

special:diff/1083406327/1217906098

Bluerasberry (talk) 15:35, 8 April 2024 (UTC)[reply]

@Bluerasberry: I've always thought of Help:Logging in as the main help page for log in problems generally, and Help:Reset password as describing just the special page Special:PasswordReset. Otherwise too much from Help:Logging in has to be duplicated here. -- John of Reading (talk) 15:52, 8 April 2024 (UTC)[reply]

@John of Reading: I think that is best. I posted at Help_talk:Logging_in#Lost_password,_no_email_instructions. Bluerasberry (talk) 16:14, 8 April 2024 (UTC)[reply]