Ever since T174492 was done, we have had the ability to log login attempts in CheckUser. This task proposes that we should enable this feature in WMF wikis.
Justification
For successful login attempts, the case is clear: it is one additional data point to use for CU purposes.
For failed login attempts, there is still a case to make: these are useful to be logged in that some users (especially those who have advanced permissions such as sysop, but are not using two-factor authentication) have repeatedly reported that their accounts have been targets of several failed login attempts (presumably, at least part of it is done by malicious users that are trying to gain access to their account). Logging the failed attempts will allow CheckUsers to investigate these incidents, and possibly identify another editor who seems to be behind the malicious attempt.
Considerations
One possible question that may come up is: would this be compatible with WMF CheckUser Policy? That policy indicates that "logged actions" are within the scope of CU on WMF. In practice, this includes some of the publicly logged actions (e.g. account creation, page deletion, AbuseFilter logs) but not all of them (e.g. Thanks logs are not stored in CheckUser yet, see T252226). This has also included some activities that are not publicly logged (e.g. revision suppression) and some activities whose logs are not accessible anywhere else on MediaWiki's web interface or API (e.g. sending emails is logged by CheckUser, and so are password resets). Given that failed login attempts are already logged by MediaWiki-extensions-LoginNotify and shown (currently only to the user), storing them in CU logs should be within scope. The other related policies are Access to Nonpublic Personal Data Policy and Privacy Policy both of which are written generically and do not get into the details of which actions are logged or are not.
Another possible question: should we do an RFC about it first? The answer, IMHO, is no, it is not needed. For all of aforementioned items that are currently logged, no RFC was done first to get community consensus on whether or not to include them in the CU logs.
Screenshot
If enabled, the log entries would look like below in a "get edits" query by the IP address. If you query by the username instead, only the first row will be returned.
Further Notes
As discussed further below, it turns out that some bots log hundreds of successful logins per hour (sometimes even per minute) and that could inflate the CU tables significantly. Therefore, we will exclude successful login attempts from the CU logs kept on WMF wikis.
Action Items
- Introduce $wgCheckUserLogSuccessfulBotLogins (r/605301)
- Create a patch for operations/mediawiki-config that sets the two global variables.
- Get approval from Legal
- Get acknowledgement for T&S
- Get approval from DBA (@Marostegui - with the conditions agreed during the task's discussion)
- Enable this for a few wikis, and monitor the growth of DB table size; also get feedback on usefulness of the new data
- Identify pilot wikis (fawiki and cswiki were selected)
- Deploy it for the pilot wikis (Done on 2020-09-03)
- Create a task for monitoring DB growth (see T261999)
- Enable this for all wikis but a few large ones
- Identify large wikis to be excluded (see T253802#6536344)
- Deploy it for all wikis minus the large wikis
- Monitor DB growth (see T265344)
- Upon DBA satisfaction, enable at all wikis but loginwiki
