Don't leave your fly open
|This is an essay. It expresses the opinions and ideas of some wikimedians or Meta-Wiki users, but may not have wide support. This is not policy on the Meta-Wiki, but it may be a policy or guideline on other Wikimedia projects. Feel free to update this page as needed, or use the discussion page to propose major changes.
Security is a big concern for Wikimedia projects, and there are several mechanisms in place to tighten this security, but the number one deterrent of account hijacking is you. Failing to protect yourself online, such as by choosing a weak password that is easy to guess, such as "1234" or "password", is simply asking for trouble – just like walking around with your fly open. We recommend that you avoid getting caught with your fly open, by choosing a strong password and taking steps to prevent your account from being hijacked. This essay is meant to highlight some of the simple, easy-to-do, and common-sense things that everyone can do to have greater security, but is by no means a complete guide to network or Internet security.
How to choose a strong password
- Longer passwords are better: a minimum of eight alphanumeric characters is usually suggested, with mixed cases in the alphabetic characters.
- Do not use birth dates, family names, phone/social security/passport/id numbers, or any other information tied personally to you or someone you know.
- Do not use words that may appear in any dictionary (e.g., no foreign words either).
- Use nonsensical strings of characters (e.g., not dictionary words) and ideally randomly chosen ones only. Use a mnemonic if necessary; for example, "My First Cousin Al lives in Denver" is an aid to remember "M1CA11inD" (note the use of 1 instead of L).
- Do not use a password that has been used as an example of a good one (like "M1CA11inD", which appears above).
- Use spaces, punctuation, special characters or symbols, such as =, #, /, or ©. These are permitted in all Wikimedia log-ins. Note however that some of those may be difficult to find on a foreign keyboard.
- See password strength for explanations and more tips.
Our system allows you to use a passphrase rather than just a single word. If your password is long enough you can ignore many of the common tips like avoiding dictionary words. For example "twig let iffy date ron carl" is a password which is very strong even though it contains dictionary words. NB: Phrases from quotation collections are just as bad as dictionary words – they have been published and can be tried one after another. Gaul is divided into three parts, I came - I saw - I conquered, You too, Brutus? are three bad examples with connections to Julius Caesar. Many other examples should come easily to mind and, if they do, will be bad choices as well.
How to prevent account hijacking
In addition to selecting a strong password, there are many precautions you should take to prevent your account from becoming hijacked. Essentially, it comes down to care and good sense. Taking simple measures to combat account hijacking will keep you from becoming the next rogue editor and losing your editing and/or sysop privileges for good.
Editing from public computers
As a general rule of thumb, you should never edit from a public computer, such as those in libraries or schools without a trusted environment or without your personal account. If you feel that you absolutely must log-in to your Wikimedia account, please be sure to abide by the following:
- Create a separate account for use on public computers, or just edit without logging in. This account should have a password and e-mail that is distinct from your main account, and you should place a notice on the account's userpage indicating that it is your alternate account.
- You should never log into an account with Sysop, CheckUser, Oversight, or other privileges on a public computer.
- Be sure to log out when you are finished, and also make sure you clear the cookie files and the local cache files on that machine. Note that many browsers can save the answers to forms you fill out (including your login form); if the one you used was set to do so, be certain to tell the browser to forget any that it has collected. Browsers vary in their arrangements for these conveniences, and have changed them between released versions, so care is required.
- Beware of shoulder surfers when logging in.
- If logged in, only use the secure wiki to bypass possible spyware. The secure wiki has a "s" (for secure) in the "https" at the beginning of the address -- https://meta.wikimedia.org/ , https://en.wikipedia.org/ , etc.
Good home computer hygiene
Additionally, there are many steps that should be taken to ensure "good computer hygiene" at home, namely:
- Protect your own computer operating system log-in account with a password, and set it up to automatically log-off after a brief period of inactivity, if possible.
- Do not use toolbars or Browser Helper Objects (BHOs) supplied by untrustable third parties. Use cautious settings for such software even from typically trusted vendors, such as Google, Yahoo, Microsoft, or Symantec, if you must use such add-ons.
- If your browser is set to remember your login/password for Web sites, make sure the browser's password manager has a strong master password (Firefox users have this ability), or clear the password memory before shutting down. Preferably, no software on your computer should store any password, but if you must, your browser should be set to use your operating system's password manager, which should also have a strong password and use strong encryption. For more on password managers, see w:Password manager.
- Avoid writing your password or username down, but if you must, never do so within reach of your computer's location(s). And do not keep passwords in a human readable computer file on the machine.
- Do not use the same password on different websites. In particular, do not use your wiki password for mailing lists or IRC channels, as these tend to be far less secure than the Internet as a whole.
- Install, and maintain, a good, well-known anti-virus program such as Norton Internet Security, McAfee Security Center, or AVG Antivirus, for Windows systems. Linux systems are far less afflicted with malware such as viruses or Trojans. Also get and install a reputable firewall. On Windows, Zone Alarm, McAfee, and Symantec are well known. On Linux systems, the firewall included in the kernel in all recent releases is satisfactory. All must be sensibly configured, else none will be effective. There are many other options, including hardware firewalls such as in routers. All these must be sensibly configured as well. Consult a knowledgeable system administrator, PC repair professional, or retail salesperson in your area for more advice and information. There is much confusion around these matters, so caution is necessary, as some will claim knowledge beyond their competence; such advice is not likely to be useful. Mac users should activate their firewalls and set them up to Stealth Mode, or to be especially secure install such software as Eset security systems, or w:Symantec software (such as Norton Internet Security).
Beware of phishers
Phishing is a method of account hijacking that is becoming increasingly common. It involves the use of e-mails and web pages designed to fool users into thinking that information is requested from them by an authority they trust. An example of a phishing attempt would be a page that looks exactly like the Wikipedia log-in page, but when you click "submit" you send your username and password not to Wikimedia's servers, but to a phisherman's inbox. Here are a few steps you can take to help protect yourself from phishing:
- Always double-check the URL on any page on which you submit a password. For example, if you are logging into the English Wikipedia, you should always ensure that you are currently viewing http://en.wikipedia.org/wiki/Special:UserLogin or https://secure.wikimedia.org/wikipedia/en/wiki/Special:UserLogin if using the secure wiki.
- Be wary even of pages on Wikimedia wikis. As they are all open content, it's not inconceivable that a phishing attempt may appear on, for instance, a Wikipedia page.
- Never give out your password to anyone, even if you are positive that they are employees of the Wikimedia Foundation. No one with the foundation should ever ask for your password or other personal information.
- Use caution when following hyperlinks, especially those found in emails or on untrustworthy websites. If the site is one in which you will enter a password or any other personal information, travel to it using a bookmark or by typing what you know to be the correct URL into the address bar, if possible. Hovering over a link with your mouse and checking at the URL that appears in your status bar offers some protection, but the URL in the status bar can be easily forged, so this method is by no means foolproof. To be sure what site a link is pointing to, check the source code. Finally, some software automatically turns plain text URLs into links for convenience. This allows phishermen to trick people by making a hyperlink to a phishing site that looks like a plain text URL of a trusted site that an application, such as your email program, has made into a hyperlink. Unless the status bar information has been forged, such a link can be identified by hovering your mouse over the link. If you are sure that the URL is correct, you can safely type or paste it into the address bar.
- If you believe your password may have been phished, please attempt to log-in to your account and change your password. If you are unable to log-in, notify a developer, administrator, or other trusted member of your wiki immediately that your account has been compromised. You will not face any repercussions for having your account hijacked, other than a temporary suspension of your account.
Editing from a wireless network makes it much easier to intercept your password if the proper precautions are not taken because all transmissions are broadcast. Therefore, when editing from one of them, use these precautions:
- Make use of VPNs. (E.g., some universities might not provide WLAN encryption since a VPN will provide sufficient security.)
- Make sure that your network is protected by WPA2 or WPA2-PSK using the AES encryption method, or a VPN if possible. If you control the base station hardware, and it does not support WPA2, it should be replaced or upgraded with a firmware that adds support for WPA2.
- If your operating system is Windows XP, get it patched to support WPA2 with this patch from Microsoft. Note that this patch requires Windows XP Service Pack 2. This patch is included with Windows XP Service Pack 3.
- If you cannot replace or upgrade your hardware to support WPA2, use WPA using AES if possible.
- If you are using hardware that cannot be upgraded to support WPA2 or WPA using AES, it should be replaced. There is nothing like having someone use your WLAN to download child porn or perform other illegal activities, having the IP address get traced to you, and getting arrested for someone else's crimes. WEP can often be cracked in under one minute, so it offers practically no protection at all against this scenario. TKIP encryption, which is the default encryption method of WPA, is essentially WEP reworked to foil all known attacks against WEP at the time it was developed. This was needed in order to secure legacy hardware that does not support AES. It was considered much stronger than original WEP until recently, when a team of Japanese cryptanalysts found a way to break it in one minute, making it almost as worthless as WEP.
- If you are using WPA-PSK or WPA2-PSK, make sure that the passphrase on the network is sensible. Weak passwords allow WPA-PSK and WPA2-PSK to fall to dictionary attacks.
- If you must edit using an unencrypted, TKIP-protected, or WEP-protected Wi-Fi network, use the secure server URL for your project, which begins with "https://" instead of "http://". For example, the secure server URL for the English Wikipedia is https://en.wikipedia.org/.
Establish a committed identity
Establish a committed identity with a hash, for instance with a template like w:Template:User committed identity.