Wikipedia:User account security
|This is an information page that describes communal consensus on some aspect of Wikipedia norms and practices. It is intended to supplement or clarify some other guidance or process. This is not a Wikipedia policy or guideline; please defer to such in a case of inconsistency with this page.|
|This page in a nutshell: Failing to use a sensible password can lead to temporary loss of editing access and may lead to permanent loss of privileged access.|
All registered users have to log in using a password before they can edit using their usernames. Passwords help ensure that someone does not masquerade as another editor. Editors should use a strong password to avoid being blocked for bad edits by someone who guesses or "cracks" other editors' passwords.
As a rule of thumb, a password that is reasonably long, with a mix of upper and lowercase letters and numbers, and not mostly made up of dictionary words or names or personal information (date of birth, cat's name, etc.) is likely to be reasonably strong for everyday use. Passwords that consist of just lowercase letters can also be reasonably strong, but they must be significantly longer than passwords with more entropy per character; see this XKCD comic strip. However, it is left up to users to decide how strong a password they wish to use beyond this.
Accounts that appear to have been compromised may be blocked without warning; administrators will generally not unblock such accounts without evidence that their rightful owners solely control them.
On Wikipedia, only certain users (including administrators) can perform some actions. It is especially important that these privileged editors have strong passwords. Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have weak passwords, or to have had their accounts compromised by a malicious person, may have their accounts blocked and their privileges removed on grounds of site security. In certain circumstances, the revocation of privileges may be permanent. Discretion on resysopping temporarily desysopped administrators is left to the bureaucrats, provided they can determine that the administrator is back in control of the previously compromised account.
Although the definition of "strong password" is deliberately left unspecified, privileged editors are required to use strong passwords and are informed that the Wikimedia system administrators will occasionally try to crack their passwords and disable those that can be cracked.
Users are encouraged to provide an email address in their preferences, as this enables them to reset their password via email if necessary. (Providing an email address also makes possible communication with other users via email; this can be disabled in preferences by unchecking the option "Enable e-mail from other users".)