Wikipedia:User account security
|This is an information page that describes a communal consensus on some aspect or aspects of Wikipedia's norms and practices. It is intended to supplement and/or clarify a process or some guidance. It is not one of Wikipedia's policies or guidelines; where something is inconsistent with this essay, please defer to those.|
|This page in a nutshell: Failing to use a sensible password can lead to temporary loss of editing access and may lead to permanent loss of privileged access.|
All registered users have to log in using a password before they can edit using their usernames. Passwords help ensure that someone does not masquerade as another editor. Editors should use a strong password to avoid being blocked for bad edits by someone who guesses or "cracks" other editors' passwords. Users may access their account's preferences to change their password.
As a rule of thumb, a password that is reasonably long, with a mix of upper and lowercase letters and numbers, and not mostly made up of dictionary words or names or personal information (date of birth, cat's name, etc.) is likely to be reasonably strong for everyday use. Passwords that consist of just lowercase letters can also be reasonably strong, but they must be significantly longer than passwords with more entropy per character; see this XKCD comic strip. However, it is left up to users to decide how strong a password they wish to use beyond this.
Accounts that appear to have been compromised may be blocked without warning; administrators will generally not unblock such accounts without evidence that their rightful owners solely control them.
Be careful on public WiFi networks. Sometimes there may be people sniffing packets and looking at information. If you edit from a public WiFi network it is a good idea to use a VPN.
On Wikipedia, only certain users (including administrators) can perform some actions. It is especially important that these privileged editors have strong passwords. Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have weak passwords, or to have had their accounts compromised by a malicious person, may have their accounts blocked and their privileges removed on grounds of site security. In certain circumstances, the revocation of privileges may be permanent. Discretion on resysopping temporarily desysopped administrators is left to the bureaucrats, provided they can determine that the administrator is back in control of the previously compromised account.
Although the definition of "strong password" is deliberately left unspecified, privileged editors are required to use strong passwords and are informed that the Wikimedia system administrators will occasionally try to crack their passwords and disable those that can be cracked.
Users are encouraged to provide an email address in their preferences, as this enables them to reset their password via email if necessary. (Providing an email address also makes possible communication with other users via email; this can be disabled in preferences by unchecking the option "Enable e-mail from other users".)