Wikipedia:User account security

This is an information page.

It is not one of Wikipedia's policies or guidelines; rather, its purpose is to explain certain aspects of Wikipedia's norms, customs, technicalities, or practices. It may reflect differing levels of consensus and vetting.

Shortcuts

This page in a nutshell: Failing to use a sensible password can lead to temporary loss of editing access and may lead to permanent loss of privileged access.

All registered users have to log in using a password before they can edit using their usernames. Passwords help ensure that someone does not masquerade as another editor. Editors should use a strong password to avoid being blocked for bad edits by someone who guesses or "cracks" other editors' passwords. Users may access their account's preferences to change their password.

In general[edit]

Password strength requirements are explained in the password policy. For normal users, those requirements are enforced when an account is created and when a password is changed.

You should have a password that:

is at least eight characters (ten for privileged accounts)
has a mixture of upper and lowercase letters and numbers
avoids dictionary words, given or last names, or personal information (date of birth, cat's name, etc.)
is not used on any other website – websites periodically get hacked, with user information leaked onto the internet

Do this, and your password is likely to be reasonably strong. The burden of using sufficiently strong passwords lies on you, the user. What this means is that if your account is compromised (for any reason), this will be treated as you not having used a sufficiently strong password.

Avoid linking to external sites from your user page and user talk pages, since this reveals a connection that can be used in an attempt to take over your Wikipedia user account.

If you need to use a public computer or connect your own computer to a public Wi-Fi network, consider establishing an alternative account (see WP:VALIDALT for important instructions and limitations) since malicious software or hardware could capture your password.

Accounts that appear to have been compromised may be blocked without warning; administrators will generally not unblock such accounts without evidence that their rightful owners solely control them.

Never, ever, share your password. Accounts with advanced permissions risk their permissions being revoked or account blocked due to violation of community trust and standards on account sharing.

Changing your password[edit]

Click on "Preferences" at the top right-hand corner of the page and then click the "Change Password" button on the "User Profile" tab to access the Special:ChangePassword page.

Failed login attempts[edit]

Through the notification system, you will be alerted when someone attempts and fails to log in to your account. Multiple alerts are bundled into one for an attempt from a new device/IP, but for a known device/IP, you get one alert for every 5 attempts.

If you receive this notification, don't worry! Your account is still secure. But even if you do have a strong password, you may want to change your password anyway, if you suspect that someone else has tried to access your account.

What to do when your account has been compromised[edit]

Information on what to do when your account has been compromised can be found at Wikipedia:Compromised accounts § After being compromised.

In a nutshell, you can help Wikipedia block access to the account and prevent malicious behavior. Do not expect to be able to regain control of the account.

What to do when your device has been compromised[edit]

Wikipedia's "Log out" link logs out all the user's current sessions. If a logged-in device is lost or stolen, changing the password and logging out on another device may help to prevent future abuse of the account on the lost device.

Privileged editors[edit]

On Wikipedia, only certain users (including administrators) can perform some actions. It is especially important that these privileged editors have strong passwords. Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have weak passwords, or to have had their accounts compromised by a malicious person, may have their accounts blocked and their privileges removed on grounds of site security. In certain circumstances, the revocation of privileges may be permanent. Discretion on resysopping temporarily desysopped administrators is left to the Arbitration Committee, provided they can determine that the administrator is back in control of the previously compromised account.

Two-factor authentication (2FA)[edit]

Wikimedia's implementation of two-factor authentication (2FA) is a way of strengthening the security of your account. If you enable two-factor authentication, every time you log in you will be asked for a one-time six-digit number in addition to your password. This number can be provided by an app on your smartphone or other authentication device (called a TOTP client). In order to login you must know your password and have your authentication device available to generate the code.

Enrolling[edit]

To set up two-factor authentication:

This action is currently limited to administrators, bureaucrats, oversighters, checkusers, edit filter managers, template editors and interface administrators. Other users may request 2FA at Steward requests/Global permissions on Meta.
See Help:Two-factor authentication for step-by-step directions, cautions, and information about this feature.

Notes[edit]

For informal advice on personal security, including passwords, see Wikipedia:Personal security practices.

Users are encouraged to provide an email address in their preferences, as this enables them to reset their password via email if necessary. (Providing an email address also makes possible communications with other users via email; this can be disabled in preferences by unchecking the option "allow other users to email me".) Email alerts generated by the Wikipedia:Notifications system can also be sent to your email address, such as "failed login attempts" and "login from an unfamiliar device" notifications (these two messages are on by default, but are configurable in the notifications preferences).

v t e Wikipedia accounts and governance
Unregistered (IP) users	Why create an account? Create an account Request an account IPs are human too IP addresses are not people IP hopper
Registered users	New account Logging in Reset passwords Username policy Changing username Usernames for administrator attention Unified login or SUL Alternate account
Account security	Password strength requirements User account security Personal security practices Two-factor authentication 2FA for AWB Committed identity On privacy, confidentiality and discretion Compromised accounts How to not get outed
Blocks, bans, sanctions, global actions	Blocking policy FAQ Admin's guide Tools Autoblock Appealing a block Guide to appealing blocks UTRS Unblock Ticket Request System Blocking IP addresses Range blocks IPv6 Open proxies Banning policy ArbCom appeals Sanctions Personal sanctions General sanctions Contentious topics and Log Essay Indef ≠ infinite Long-term abuse Standard offer Global actions
Related to accounts	Sockpuppetry Single-purpose account Sleeper account Vandalism-only account Wikibreak Enforcer Retiring Courtesy vanishing Clean start Quiet return
User groups and global user groups	Requests for permissions Admin instructions Admin guide Account creator PERM (Auto) confirmed PERM Autopatrolled PERM AutoWikiBrowser PERM Bot Request Edit filter helper Request Event coordinator PERM Extended confirmed PERM File mover PERM IP block exempt Request Mass message sender PERM New page reviewer PERM Page mover PERM Pending changes reviewer PERM Rollback PERM Template editor PERM Global rights policy Volunteer Response Team
Advanced user groups	Administrator RfA Bureaucrat RfB CheckUser and Oversight Request Edit filter manager Request Interface administrator Request Founder Importer Researcher
Committees and related	Arbitration Committee Bot approvals group Functionaries Clerks SPI clerks ArbCom clerks
Governance	Administration FAQ Formal organization Editorial oversight and control Quality control Wikimedia Foundation Board Founder's seat Meta-Wiki Proposals WikiProjects Elections Policies and guidelines Petitions Noticeboards Consensus Dispute resolution Reforms