This page uses content from Wikipedia and is licensed under CC BY-SA.
|This page in a nutshell: Failing to use a sensible password can lead to temporary loss of editing access and may lead to permanent loss of privileged access.|
All registered users have to log in using a password before they can edit using their usernames. Passwords help ensure that someone does not masquerade as another editor. Editors should use a strong password to avoid being blocked for bad edits by someone who guesses or "cracks" other editors' passwords. Users may access their account's preferences to change their password.
As a rule of thumb, a password that is reasonably long, with a mix of upper and lowercase letters and numbers, and not mostly made up of dictionary words or names or personal information (date of birth, cat's name, etc.) is likely to be reasonably strong for everyday use. Passwords that consist of just lowercase letters can also be reasonably strong, but they must be significantly longer than passwords with more entropy per character; see this XKCD comic strip. However, it is left up to users to decide how strong a password they wish to use beyond this.
Accounts that appear to have been compromised may be blocked without warning; administrators will generally not unblock such accounts without evidence that their rightful owners solely control them.
Be careful on public WiFi networks. Sometimes there may be people sniffing packets and looking at information. If you edit from a public WiFi network it is a good idea to use a VPN or inspect the HTTPS certificate of your connection.
On Wikipedia, only certain users (including administrators) can perform some actions. It is especially important that these privileged editors have strong passwords. Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have weak passwords, or to have had their accounts compromised by a malicious person, may have their accounts blocked and their privileges removed on grounds of site security. In certain circumstances, the revocation of privileges may be permanent. Discretion on resysopping temporarily desysopped administrators is left to the bureaucrats, provided they can determine that the administrator is back in control of the previously compromised account.
As of December 2015, users with advanced permissions are formally required to maintain a password that meets certain specific requirements and may have their passwords audited by the Wikimedia Foundation.
Wikimedia's implementation of two-factor authentication (2FA) is a way of strengthening the security of your account. If you enable two-factor authentication, every time you log in you will be asked for a one-time six digit number in addition to your password. This number can be provided by an app on your smartphone or other authentication device. In order to login you must know your password and have your authentication device available to generate the code.
To set up two-factor authentication:
|You will also be presented with a series of one-time scratch codes. You should safely store a copy of these codes. If you lose or have a problem with your TOTP client you will be locked out of your account unless you have access to these codes.|
Users are encouraged to provide an email address in their preferences, as this enables them to reset their password via email if necessary. (Providing an email address also makes possible communications with other users via email; this can be disabled in preference by unchecking the option "Enable e-mail from other users".)