Wikipedia:User account security
This is an information page. It is not one of Wikipedia's policies or guidelines; rather, its purpose is to explain certain aspects of Wikipedia's norms, customs, technicalities, or practices. It may reflect differing levels of consensus and vetting. |
This page in a nutshell: Failing to use a sensible password can lead to temporary loss of editing access and may lead to permanent loss of privileged access. |
All registered users have to log in using a password before they can edit using their usernames. Passwords help ensure that someone does not masquerade as another editor. Editors should use a strong password to avoid being blocked for bad edits by someone who guesses or "cracks" other editors' passwords. Users may access their account's preferences to change their password.
In general
Password strength requirements are explained in the password policy. For normal users, those requirements are enforced when an account is created and when a password is changed.
You should have a password that:
- is at least eight characters (ten for privileged accounts)
- has a mixture of upper and lowercase letters and numbers
- avoids dictionary words, given or last names, or personal information (date of birth, cat's name, etc.)
- is not used on any other website – websites periodically get hacked, with user information leaked onto the internet
Do this, and your password is likely to be reasonably strong. The burden of using sufficiently strong passwords lies on you, the user. What this means is that if your account is compromised (for any reason), this will be treated as you not having used a sufficiently strong password.
Avoid linking to external sites from your user page and user talk pages, since this reveals a connection that can be used in an attempt to take over your Wikipedia user account.
If you need to use a public computer or connect your own computer to a public Wi-Fi network, consider establishing an alternative account (see
Accounts that appear to have been compromised may be blocked without warning; administrators will generally not unblock such accounts without evidence that their rightful owners solely control them.
Never, ever, share your password. Accounts with advanced permissions risk their permissions being revoked or account blocked due to violation of community trust and standards on account sharing.
Changing your password
Click on "Preferences" at the top right-hand corner of the page and then click the "Change Password" button on the "User Profile" tab to access the Special:ChangePassword page.
Failed login attempts
Through the
If you receive this notification, don't worry! Your account is still secure. But even if you do have a strong password, you may want to change your password anyway, if you suspect that someone else has tried to access your account.
What to do when your account has been compromised
Information on what to do when your account has been compromised can be found at Wikipedia:Compromised accounts § After being compromised.
In a nutshell, you can help Wikipedia block access to the account and prevent malicious behavior. Do not expect to be able to regain control of the account.
What to do when your device has been compromised
Wikipedia's "Log out" link logs out all the user's current sessions. If a logged-in device is lost or stolen, changing the password and logging out on another device may help to prevent future abuse of the account on the lost device.
Privileged editors
On Wikipedia, only certain users (including
Two-factor authentication (2FA)
Wikimedia's implementation of
Enrolling
During your enrollment you will be presented with a series of one-time scratch codes. You should safely store a copy of these codes. If you lose or have a problem with your TOTP client you will be locked out of your account unless you have access to these codes. Once locked out, regaining access to your account may not be possible. |
To set up two-factor authentication:
- This action is currently limited to administrators, bureaucrats, oversighters, checkusers, edit filter managers, template editors and interface administrators. Other users may request 2FA at Steward requests/Global permissions on Meta.
- See Help:Two-factor authentication for step-by-step directions, cautions, and information about this feature.
Notes
For informal advice on personal security, including passwords, see Wikipedia:Personal security practices.
Users are encouraged to
See also
- Wikipedia:Blocking policy
- Wikipedia:Password strength requirements
- Password strength
- Wikipedia:Committed identity
- Wikipedia:FAQ/Technical (how to recover password)
- Wikipedia:Wikipedia Signpost/2006-02-06/Password security
- Wikipedia:Wikipedia Signpost/2006-12-18/Technology report
- Wikipedia:Wikipedia Signpost/2007-05-07/Admins desysopped
- Wikipedia:Wikipedia Signpost/2010-08-02/Technology report
- Wikipedia:Wikipedia Signpost/2015-11-11/Discussion report
- Wikipedia:Village pump (proposals)/Account security