Log if password matches current for password reset event #11423
Conversation
Co-authored-by: Zach Margolis <[email protected]>
aduth
changed the title
app/forms/reset_password_form.rb
Outdated
| @@ -47,6 +47,8 @@ def handle_valid_password | |||
| end | |||
|
|
|||
| def update_user | |||
| @password_matches_existing = user.valid_password?(password) | |||
There was a problem hiding this comment.
This is a relatively expensive comparison, I'm not sure if we'd want to do this on every password reset going forward. It may even be desirable to feature flag it?
There was a problem hiding this comment.
Looks like we do roughly 100k password resets a day. If we are concerned we could capture this for a subset (5%? 10%?) and still get a meaningful result?
There was a problem hiding this comment.
Yeah I could set this up as an A/B test to limit the performance impact, and to allow us to quickly turn it off.
However, that being said, if we ever did want to do any sort of follow-up work here (e.g. avoid deactivating profiles for unchanged password), I'm not sure there's a way around doing the check.
There was a problem hiding this comment.
Although, in that hypothetical future, I suppose the cost of checking whether the password has changed would be offset slightly by avoiding hashing the new password when it's unchanged.
Co-authored-by: Zach Margolis <[email protected]>
* Log password changed * Document analytics property * Add spec coverage for password_different * changelog: Internal, Analytics, Add logging property for unchanged password reset of verified account * Typo: Profile deactivated * Invert password_different to password_matches_existing Co-authored-by: Zach Margolis <[email protected]> * Refactor form specs for updated expectations * Add form test case for password_matches_existing * A/B test subset of password resets for logging * Remove inaccurate route verb Co-authored-by: Zach Margolis <[email protected]> --------- Co-authored-by: Zach Margolis <[email protected]>
…ent (#11457) * Revert "Log if password matches current for password reset event (#11423)" This reverts commit a419d8c. * Remove inaccurate route verb Co-authored-by: Zach Margolis <[email protected]> * Refactor form specs for updated expectations * Remove spec expectations for password_matches_existing --------- Co-authored-by: Zach Margolis <[email protected]>
🛠 Summary of changes
Adds an event property indicating whether the password was the same as the user's current password when successfully resetting a user password.
This will be used to understand how common this behavior is, in case there's improvements we could make to this workflow, particularly for users who might be impacted by identity verification profile deactivation due to password reset.
Related Slack discussion: https://gsa-tts.slack.com/archives/C01710KMYUB/p1730231046429359
📜 Testing Plan
make watch_eventsin a separate terminal processpassword_matches_existingisfalseif you entered a different password, ortrueif you entered the same password