Help:User account security

Everyone with an account on has a password that they use to log in with. This password must be kept secret, because anyone who knows the password for an account can get into that account! Passwords are the keys to your account, and like the keys for your house, you should never let anyone else have it. If someone else knows the password for your account, they can log into it and steal it from you. Worse, any edits they make using your account will look like they are coming from you! Security is everybody's responsibility, but at the end of the day, the person that can best protect your account is you. There are many things that you can do to ensure that your password stays secret and that your account stays yours.

Don't tell anybody your password
'''NEVER TELL ANYBODY THE PASSWORD FOR YOUR ACCOUNT. EVER!' administrators and Miraheze Staff will never ask you for your password, under any'' circumstances. If someone asks you for your password, don't tell them your password. Telling someone your password is like giving your house keys to anybody who asks for it. Of course somebody is going to take advantage of that to steal your house!

Sometimes, people may contact you claiming to be members of Miraheze Staff, administrators, an authoritative figure (e.g. the "Chief Security Officer of Miraheze"), or even law enforcement and police. They may make frightening demands for you to give them your password or risk losing access to the site, or even being arrested or charged. If these things ever happen to you, know that they are not real and that you should not give them your password, no matter what. You may wish to email to let Miraheze Staff know that you have been receiving these messages.

Use a strong password
A strong password is useless if you tell somebody the password, but if you keep your password a secret, then a strong password is probably the best defense you have against account hijacking. A weak password is one that is easily guessable, such as "1234", "abcd", or a single word, like "password" (yes, people still use the word "password" as their password; DON'T DO IT).

These days, people who want to break into your account, also known as "hackers" or "crackers", usually write computer programs, or "bots", that automatically try to guess people's passwords. There is a list of commonly used passwords that these bots will use first before they try to guess every possible combination for your password. This is known as a brute-force attack, and if you have a weak password, this method will eventually guess your password.

As such, it is no question that you need a secure password. However, over the years, what constitutes a "secure" password hasn't always been clear.

The old way: classical passwords
You may have heard the old-timer advice that passwords:


 * Must contain a random, nonsensical mix of uppercase and lowercase letters, numbers, and perhaps symbols
 * Must be longer than eight characters at minimum (the longer the better)
 * Must not contain any dictionary words or words in a foreign language
 * Must not be used on another website, or be used in examples (for example, don't use  as your password, because we just used it in an example)

These passwords are not insecure, and they do work pretty well in protecting your account from even the worst of brute-force attacks. The problem is that they are very hard to remember, and it usually results in other insecure practices like writing passwords down on sticky notes (we'll cover those further down this page). These kinds of passwords are best used with a password manager. However, there is a better way.

The new way: random sentences
XKCD did a nice comic on password strength which has been linked to numerous times around the web. You can read it here. In a nutshell, the comic says that a good password consists of a sentence made up of randomly selected dictionary words. Because they are randomly chosen and don't make any sense together, they are hard for computers to guess, but are easy for humans to remember, since they are all words in the dictionary.

A good way to create a password using this method is to:
 * 1) Grab a random book, flip to a random page, and pick a random word from each page
 * 2) Grab another random book or go to a random web page on the Internet (like a random Wikipedia article) and get a random word from there
 * 3) Repeat as many times as desired; usually, four to six times is good enough

The XKCD comic used the password "correct horse battery staple" as an example of what you could potentially come up with. Obviously, don't use "correct horse battery staple" as your password, since it's already been used as an example, but you get the idea: at least four randomly selected words cobbled together to make a seemingly nonsensical sentence. This is much easier to remember than the  we gave earlier.

Use a password manager
There's a good chance that you have multiple accounts on the Internet. The average Internet user has 90 accounts— and thus, 90 passwords to remember. It's no wonder that many Internet users are guilty of reusing the same password across multiple websites. The problem with password reuse is that, if someone manages to guess that one password, they have access to all of your accounts!

A good way to prevent password reuse is to use a password manager. A password manager is a computer program or utility that stores the passwords for your online accounts and gives you the ability to automatically fill them in with one click. Most web browsers have a built-in password manager that is better than nothing, although you may find better flexibility with third-party password managers such as LastPass and Dashlane. Password managers eliminate the need to have to memorize hundreds of secure passwords and can be a good deterrent to password reuse.

Set up email on your account
Connecting your account to an email address allows you to reset your password in the event that you lose it. You can also configure it to get security notifications over email, such as when someone else logs into your account from an unfamiliar device.

To set up email on your account:


 * 1) Go to your user preferences
 * 2) Scroll down to the '' section
 * 3) Click on ''
 * 4) Follow the instructions there to set up your email address. You will be sent a confirmation email containing a link that you must click on in order to complete the process.

Once your email address has been confirmed, you will be able to receive automated emails relating to your account. Additionally, if you need to reset your password, you will be sent an email containing instructions on how to reset it. If someone steals your account and changes your password, there is a chance you can still recover your account by resetting the password.

Exercise good computer hygiene
Practicing good computer hygiene is like brushing your teeth everyday; it's a good habit you want to have. Some good habits to set up include:
 * Log out after you're done. Logging out ensures that nobody can just sit down at your computer and use your still-logged in account.
 * Lock your computer if you're stepping away from it. Virtually every operating system today has an option to "Lock" your computer so that a password is needed to continue using it. And speaking of computer passwords...
 * Set up a password for your computer. If you don't set up a password, anyone who has physical access to the computer can just use it however they please. Set up a password, a PIN, or an unlock pattern for all of your computers, including your laptop, tablet, and smartphone.
 * Don't write your password down in the open. Never write passwords down on sticky notes and then stick them onto your wall or monitor where everybody can see them. Never write your password down in an unencrypted text file on your computer either. Consider using a password manager to store your passwords instead if you really can't remember them.
 * Do not use toolbars or browser extensions by untrusted third-parties. Most modern browsers use a "permission" system for browser extensions for security reasons in order to limit the amount of control they have. Take a look at the permissions for your extensions. Do they request access to all of the sites you visit? If so, can you trust them not to steal your passwords? Use cautious settings for every extension you have installed, and remove extensions from developers that you don't trust or if you don't use them very often.
 * Don't run untrusted programs on your computer. Make sure that the programs you run are trustworthy and won't hijack your computer or install malware like keyloggers that can steal your password or otherwise spy on you. When installing programs, do not blindly click "Yes" or "Accept" on any dialog box that pops up, as installers can sometimes install unwanted browser toolbars and programs that are very difficult to get rid of later on. Having a good anti-virus program can help, but it is not a replacement for being careful.
 * Don't go clicking on flashy links with catchy titles blindly. Many malicious web pages are specifically designed to make them eye-catching to you so you will be motivated to click on them, or they may try to anger or excite you, or encourage you to share them with as many people as possible. These sites are often known to spread malware, which can be used to steal your passwords.

Beware of phishers
Phishing is a sneaky tactic that thieves and other nefarious people use to try to get you into giving them your sensitive or private information, such as your credit card number or passwords. They usually send you messages that look like they are real, like an important notice from your bank, and will often give you links to click on that look legitimate. An example of phishing would be getting a link that looks exactly like the log-in page for, but when you enter your username and password, your information gets sent to the thief's servers, rather than to 's servers.

To protect yourself against phishing, consider the following advice: Suspicious links include:
 * Read every email you get carefully. Phishing emails usually contain oddities like:
 * suspicious or unusual email addresses
 * the "To" field being blank or addressed to another person
 * typos and grammatical errors
 * urgent requests for private or personal information
 * demands to act now or risk problems or penalties like losing access to your account or lots of money
 * links to suspicious websites
 * If you spot a suspicious email in your inbox, do not open any links in it. Many email services like Gmail provide options to report the email for spam or phishing. If you are using a school or company email account, talk to your system administrator about it.
 * Check links before opening them. You can see where a link will take you by hovering your mouse cursor over the link (without clicking on it!). The address of the page that the link will take you to will be shown in the bottom-left corner of the screen. If you are on a touch-screen device, you can usually check the link by pressing and holding on the link.
 * bizarre domain names (for example, the domain name for Google's website is google.com, and a valid sub-domain can be something like keep.google.com or accounts.google.com; a phishing link might link to google.com.tkabc or accounts-google.com)
 * substitution of letters for numbers (for example, h0rse instead of horse)
 * links that don't start with https://
 * links to URL shortening services (such as bit.ly or goo.gl; these make it easier to share long links with others, but can also be used to hide malicious websites behind them, and there is never a need to use a shortened URL in an email)
 * Checking links is not a foolproof method, as links can easily be forged, but it can stop some of the more preventable phishing cases.
 * Always double-check the URL before logging in. If you are logging in to a legitimate login page on, the URL will be as follows: . To be safe, never log in through a page that you accessed by clicking on a link in an email. Always type the full URL for  by hand and use that to log in.
 * If you believe you have been phished, change your password as quickly as possible.

Stay safe on Wi-Fi
Wi-Fi is a common and popular method of getting portable devices, such as smartphones and laptops, to connect to the Internet. Wi-Fi connections are much easier to intercept and hijack than wired, Ethernet connections, as the information travels through the air through high frequency radio waves that anyone can have access to. Hackers can use programs like Wireshark to snoop on unprotected transmissions over the air.

If you are on a public Wi-Fi network, like that in a coffee shop or other location open to the public, the Wi-Fi network will either be unencrypted (meaning there is no password needed to access), or the password will be known to everyone (like being written on the wall). Security is therefore very limited. To protect yourself on these networks:


 * Consider not logging in at all. The risk of having someone steal your password over the unprotected airwaves may be too great.
 * If you do need to log in, at the very least make sure you are using HTTPS. The address bar should begin with  to indicate that you are on a secure connection.
 * Consider using a VPN. VPNs route your traffic through a protected tunnel to prevent attackers from being able to snoop in it.
 * Use an account that you have specifically created for use on public Wi-Fi networks. That way, if someone does steal your password, it will be for that account and not your main account.
 * Make sure the location you're in actually has Wi-Fi. Not every coffee shop has Wi-Fi, and just because a Wi-Fi network looks like it belongs to the coffee shop you're in doesn't necessarily mean the coffee shop runs it. The coffee shop Wi-Fi that you might want to use may very well be coming from a hacker with their laptop a couple tables down!

If you are on your home, school, or work Wi-Fi network, chances are you'll have to enter a password in order to connect to the network. Networks that require a password to use are encrypted, meaning that any communications sent over them can't be easily picked up by other people without the password. If you are at home, make sure your Wi-Fi password is secure, since anybody who has the password can decrypt your communications, and potentially see what you are transferring over it.

Set up two-factor authentication
Two-factor authentication, or 2FA, is a way of additionally securing your account by requiring an additional passcode generated from an app on your phone in addition to your password. That way, even if someone cracks your password, they still can't get into your account unless they also have your phone.

Two-factor authentication is a last line of defense against an attack, so it's not a replacement for a secure password. Two-factor authentication also comes with many caveats that you should be aware of. See Help:Two-factor authentication for details on how to set it up for your account.

Establish a committed identity
You can set up a committed identity by following the instructions on Template:Committed identity. This usually involves hashing a secret string, like a sentence of your choosing, which produces a seemingly random sequence of characters. Nobody can figure out what your secret string is by looking at the hash, but anyone who knows the secret string can run it through the hash generator to see if the two hashes match up.

For example, let's say you hashed a secret string (in this case, we'll use "Bob has a dog named Billy" under the SHA-256 hashing algorithm. This produces our hash,, which will be placed publicly on your user page. This hash will always be the same whenever you hash "Bob has a dog named Billy" under the SHA-256 algorithm; however, nobody can figure out that "Bob has a dog named Billy" is the secret string just by looking at the hash. Hashing is not reversible, but it is consistent. If someone steals your account, Miraheze Staff have the ability to restore your account, but they won't do it unless they are 100% sure they are talking to the right person. You can email Staff your secret string ("Bob has a dog named Billy"), and they can hash it and see if the hash matches the one on your user page. If they match, Staff will be able to confirm that you are the original owner of the account.

Establishing a committed identity is something you need to do before your account is compromised. Having a committed identity also doesn't prevent your account from being stolen in the first place, so you still need to have a secure password and observe good computer hygiene to keep yourself secure. Having a committed identity is an absolute last defense that is employed after an attacker has already stolen your account and has removed all your other options of recovery. When setting up your committed identity, you must keep your secret string in a secure location, since anybody who steals the string will be able to steal your identity. In other words, your secret string is like a second password. Refer to the Use a strong password section for information on how to set a secure string.

Consequences of a weak password
Users who have advanced permissions like administrator or bureaucrat permissions must have a strong and secure password, as a compromised administrator or bureaucrat account can cause serious damage to the site. Administrators or bureaucrats who are found to have weak or insecure passwords will lose their permissions, without chance of regaining them, until they have demonstrated better account security practices.

Regular editors who lose their account due to insecure practices may risk having their accounts blocked due to compromise. Compromised accounts are usually not unblocked unless the original owner has demonstrated their identity (such as by having a committed identity) and have demonstrated better security practices. Editors who are routinely unable to demonstrate appropriate practices for safeguarding their account may be blocked indefinitely.

In all cases, it is important that you use a strong, secure password for your account, one that is not used on any other sites, and you take appropriate measures to keep your password secret and your account safe. In terms of computer security, it is always better to be safe than sorry, and it's often too late to be sorry once someone steals your account.