Make sure you have a password
|(English) This is an essay. It expresses the opinions and ideas of some Wikimedians but may not have wide support. This is not policy on Meta, but it may be a policy or guideline on other Wikimedia projects. Feel free to update this page as needed, or use the discussion page to propose major changes.|
Security is a big concern for Wikimedia projects, and there are several mechanisms in place to tighten this security, but the number one deterrent of account hijacking is you. Failing to protect yourself online, such as by choosing a weak password that is easy to guess, such as "1234" or "password", is simply asking for trouble – just like walking around with your fly open. We recommend that you avoid getting caught with your fly open, by choosing a strong passphrase and taking steps to prevent your account from being hijacked. This essay is meant to highlight some of the simple, easy-to-do, and common-sense things that everyone can do to have greater security, but is by no means a complete guide to network or Internet security.
In 2015, a password policy was enacted to establish minimum password requirements for all users of Wikimedia wikis. The specific requirements listed on Password policy#Policy may be changed or expanded in the future to further enhance security.
How to choose a strong passphrase
Recommended: using a sentence instead of a word
For a long time, it has been recommended to use a complex password with lots of numbers and special characters. These passwords can be hard to remember, and they are usually very short. Instead, you might want to try using a passphrase. A passphrase consists of multiple words, and it does not need to contain special characters to be as secure as a classical "strong password".
- To generate a really secure passphrase, take any book of your choice, open it at a random position and choose a random word. This might be "correct".
- Repeat at least four times. The result might be something like "correct horse battery staple". That would be a good passphrase, if it hadn't been published as an example on the internet. Use something else!
You can also think of a completely silly sentence yourself, for example "Uncle Udo fishes Marvel Spiderman" or "Tom Riddle eats computer t-shirt".
Be warned! Humans have strong biases towards certain words. For instance, "Uncle Udo" alliterates, and is an even worse idea if you actually have an Uncle Udo and he likes to fish. "Marvel" has an obvious conceptual link to "Spiderman" (Marvel comics). "Tom Riddle" is a concealed name used by character in a popular novel series; such pop-culture references may be found in passwords quite a lot. "Eats", like "fishes", fits grammatically with its antecedent, and "computer" and "t-shirt" are things someone is likely to be able to see while making up a password.
Books also have strong biasses. Any given book will never use most of the words in a language, and rarely use most of the other words, but use some words very frequently.
Because of these biasses, neither of these methods will be anywhere near as secure as a passphrase genuinely chosen at random, using a solid random password generator. See passphrase article and this essay for more detail.
Alternative: classical password
If you really want to use a classical password instead, please keep the following things in mind:
- Longer passwords are better: a minimum of eight alphanumeric characters is usually suggested, with mixed cases in the alphabetic characters.
- Do not use birth dates, family names, phone/social security/passport/ID numbers, or any other information tied personally to you or someone you know.
- Do not use words that may appear in any dictionary (e.g., no foreign words either).
- Use nonsensical strings of characters (e.g., not dictionary words) and ideally randomly chosen ones only. Use a mnemonic if necessary; for example, "My First Cousin Al lives in Denver" is an aid to remember "M1CA11inD" (note the use of 1 instead of L).
- Do not use a password that has been used as an example of a good one (like "M1CA11inD", which appears above).
- Use spaces, punctuation, special characters or symbols, such as =, #, /, or ©. These are permitted in all Wikimedia log-ins. Note however that some of those may be difficult to find on a foreign keyboard.
- See password strength for explanations and more tips.
How to prevent account hijacking
In addition to selecting a strong password, there are many precautions you should take to prevent your account from becoming hijacked. Essentially, it comes down to care and good sense. Taking simple measures to combat account hijacking will keep you from becoming the next rogue editor and losing your editing and/or sysop privileges for good.
Editing from public computers
As a general rule of thumb, you should never edit from a public computer, such as those in libraries or schools without a trusted environment or without your personal account. If you feel that you absolutely must log-in to your Wikimedia account, please be sure to abide by the following:
- Create a separate account for use on public computers, or just edit without logging in. This account should have a password and e-mail that is distinct from your main account, and you should place a notice on the account's userpage indicating that it is your alternate account.
- You should never log into an account with Sysop, CheckUser, Oversight, or other privileges on a public computer.
- Be sure to log out when you are finished, and make sure you clear the cookie files and the local cache files on that machine. Note that many browsers can save the answers to forms you fill out (including your login form); if the one you used was set to do so, be certain to tell the browser to forget any that it has collected. Browsers vary in their arrangements for these conveniences, and have changed them between released versions, so care is required.
- Beware of shoulder surfers when logging in.
Good home computer hygiene
Additionally, there are many steps that should be taken to ensure "good computer hygiene" at home, namely:
- Protect your own computer operating system log-in account with a password, and set it up to automatically log-off after a brief period of inactivity, if possible.
- Do not use toolbars or Browser Helper Objects (BHOs) supplied by untrustable third parties. Use cautious settings for such software even from typically trusted vendors, such as Google, Yahoo, Microsoft, or Symantec, if you must use such add-ons.
- If your browser is set to remember your login/password for Web sites, make sure the browser's password manager has a strong master password (Firefox users have this ability), or clear the password memory before shutting down. Preferably, no software on your computer should store any password, but if you must, using a dedicated password manager might be advisable. For more information on password managers, see w:Password manager.
- Avoid writing your password or username down, but if you must, never do so within reach of your computer's location(s). And do not keep passwords in a human readable computer file on the machine.
- Do not use the same password on different websites. In particular, do not use your wiki password for mailing lists or IRC channels, as these tend to be far less secure than the Internet as a whole.
- Do not run untrusted software on your computer. "Useful free tools" quickly downloaded from the Internet are often shipped with adware. Even when downloading trusted programs, double-check that you are actually downloading them from the official website. Instead of relying on search engine results, it can often help to look the software up in Wikipedia to verify the official website link. Well-known open source programs like OpenOffice often have an URL that looks like "openoffice.org", and not "openoffice-for-free.example.de". Be attentive; don't blindly click large "DOWNLOAD" buttons. When Windows warns you about potentially untrusted software, always take these warnings seriously. Be careful that you do not accidentally consent to the installation of additional software like "browser toolbars" when installing a program. Blindly clicking "yes" or "continue" can lead to real headaches and a lot of time wasted on trying to remove unwanted software again.
- When you suspect that a virus or other unwanted software is running on your computer, do not light-mindedly ignore your instincts. It might be a good idea to ask a knowledgeable, trusted person to verify the integrity of your computer. This especially applies when you suddenly start seeing advertisements in unexpected situations. If you are using Google as a default search engine, for example, you should be extremely alarmed if a different search engine is suddenly replacing it. Even if it does not seem to be a large problem, this is often the beginning of greater trouble. If unwanted software is running on your computer, it could as well one day encrypt all your files and extort money for undecryption.
Beware of phishers
Phishing is a method of account hijacking that is becoming increasingly common. It involves the use of e-mails and web pages designed to fool users into thinking that information is requested from them by an authority they trust. An example of a phishing attempt would be a page that looks exactly like the Wikipedia log-in page, but when you click "submit" you send your username and password not to Wikimedia's servers, but to a phisherman's inbox. Here are a few steps you can take to help protect yourself from phishing:
- Always double-check the URL on any page on which you submit a password. For example, if you are logging into the English Wikipedia, you should always ensure that you are currently viewing https://en.wikipedia.org/wiki/Special:UserLogin
- Be wary even of pages on Wikimedia wikis. As they are all open content, it's not inconceivable that a phishing attempt may appear on, for instance, a Wikipedia page.
- Never give out your password to anyone, even if you are positive that they are employees of the Wikimedia Foundation. No one with the foundation should ever ask for your password or other personal information.
- Use caution when following hyperlinks, especially those found in emails or on untrustworthy websites. If the site is one in which you will enter a password or any other personal information, travel to it using a bookmark or by typing what you know to be the correct URL into the address bar, if possible. Hovering over a link with your mouse and checking at the URL that appears in your status bar offers some protection, but the URL in the status bar can be easily forged, so this method is by no means foolproof. To be sure what site a link is pointing to, check the source code. Finally, some software automatically turns plain text URLs into links for convenience. This allows phishermen to trick people by making a hyperlink to a phishing site that looks like a plain text URL of a trusted site that an application, such as your email program, has made into a hyperlink. Unless the status bar information has been forged, such a link can be identified by hovering your mouse over the link. If you are sure that the URL is correct, you can safely type or paste it into the address bar.
- If you believe your password may have been phished, please attempt to log-in to your account and change your password. If you are unable to log-in, notify a developer, administrator, or other trusted member of your wiki immediately that your account has been compromised. You will not face any repercussions for having your account hijacked, other than a temporary suspension of your account.
Editing from a Wi-Fi network
Editing from a wireless network makes it much easier to intercept your password if the proper precautions are not taken because all transmissions are broadcast. Therefore, when editing from one of them, use these precautions:
- When you are using a public network, do not ignore security warnings given to you by your browser. Trying to open Wikipedia and receiving a warning message about an untrusted connection is an extremely bad sign. Verify that your computer's clock is showing the correct time and date. A wrong date setting can cause the same warnings. If your computer's clock date is correct, and you still receive HTTPS warnings, stop using the connection. Better be safe than sorry.
- When using your personal home network, make sure that the WiFi passphrase is strong. Weak passwords can quickly be cracked by anyone driving by, and there is nothing like having someone using your WiFi to download child porn or perform other illegal activities, having the IP address get traced to you, and getting arrested for someone else's crimes.
Establish a committed identity
Establish a committed identity with a hash, for instance with a template like w:Template:User committed identity.
Two factor authentication
- Help:Two-factor authentication and Two-factor authentication for wikis and Help:Two-factor authentication