Tim, I removed option 2 (show partial email address) for privacy concerns (the partial email can potentially reveal someone's name, for instance). I also removed option 3 because it is not solving the problem, but eliminating it.

I also added an alternative about two-step verification.

What is wrong with eliminating the problem?

It is shortsighted. Imagine we implement this. Then I promise not to forget my password, and ask for password reset to be disabled for me. Late, someone hacks into my account and changes the password. I have no way to take it back.

So you eliminate a problem by introducing other contingencies. That is not strategic.

I would very much like to have this spam reduced. While my username isn't a common name (like Angela), it is _short_ (4 characters). If I had my druthers, I'd prefer the security question as it is least invasive to the user from a day-to-day operational standpoint.

This happened to me today :(. Thanks @revi for https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2019/Anti-harassment/Add_an_option_to_require_email_address_and_username_to_reset_password. :)

I note when someone is implementing this... under T230436 and by Community-Tech

Logging should be put in place so we can see the state of things (ip/user X requested reset for Y etc)... And we should be putting in a rate limiter to prevent one user/ip doing a loooad of requests

Both should be relatively easy to do while working in the area

Note that nowadays, there is a feature that would help mitigate this issue: "Send password reset emails only when both email address and username are provided." (in "Email options" section here).

When this feature is enabled, email for the relevant account is not sent until both fields in https://en.wikipedia.org/wiki/Special:PasswordReset are filled.

I would like to report an issue with this feature: currently, nothing in the interface/message points out that both fields have to be filled in this case. The page clearly states that only one of the fields has to be filled. Therefore, the user could have a hard time figuring out why he is not receiving the email…

I viewed the Special:PasswordReset page in three situations:

• logged in, with feature "Send password reset emails only when both email address and username are provided." enabled
• logged in, with feature "Send password reset emails only when both email address and username are provided." disabled
• logged out

In all three situations, I get the MediaWiki:Passwordreset-text-many message, with $1 having value 2.

Three problems:

• $1 having value 2 in cases where the value should be 1.
• The message doesn't have pluralized form, so obviously it won't display in plural.
• The setting is user-specific, so if the user is logged out (which should be the most common case here), how could we determine what message to display…

Because as per the quoted code... I missed an earlier part:

		$resetRoutes = $this->getConfig()->get( MainConfigNames::PasswordResetRoutes );

// snip

		$i = 0;
		if ( isset( $resetRoutes['username'] ) && $resetRoutes['username'] ) {
			$i++;
		}
		if ( isset( $resetRoutes['email'] ) && $resetRoutes['email'] ) {
			$i++;
		}

		$message = ( $i > 1 ) ? 'passwordreset-text-many' : 'passwordreset-text-one';

The message that is shown depends on https://mediawiki.org/wiki/Manual:$wgPasswordResetRoutes

The {{PLURAL:$1 is often not used in en, but is in other languages.

Understood, the message is not about how many fields the user has to fill, but about how many fields are on the page.

So, considering the optional feature "Send password reset emails only when both email address and username are provided", which:

• we may not know if it is enabled, until we know what user asks for the reset
• and nevertheless, I suppose we should not reveal if a given user has enabled the feature or not

maybe the message should rather be something like "Fill in one, or more if possible, of the fields…"

Sounds like you're on the right track. :)

I'd agree it would be an infoleak if we were disclosing whether a specific user had enabled that preference. I think the code is purposefully designed not to do that in its present state

In T145952#10219082, @Od1n wrote:

maybe the message should rather be something like "Fill in one, or more if possible, of the fields…"

And/or something like "if you don't get a password reset email after filling out this form, try filling out the form again with all fields completed" (wording things is hard)

And probably also making sure the submission message is maybe updated... But maybe it's good enough already

	"passwordreset-success-details-generic": "If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the [[mw:Special:MyLanguage/Help:Reset_password|reset password help page]] or try again later. You can only <strong>request a limited number of password resets within a short period of time. Only one password reset email will be sent per valid account every {{PLURAL:$1|hour|$1 hours}}</strong> in order to prevent abuse.",

And that same Help link maybe should be included on the form before you submit it too (ie in one of the passwordreset-text- messages... Or a new message added to display it on the same page)