→Password security tips: Additional. |
→Password security tips: more info |
||
| Line 24: | Line 24: | ||
#Avoid using public computers to edit, but if you do decide to use one, always remember to log out when you are done, and when you return to your private computer, it may be worth changing your password. |
#Avoid using public computers to edit, but if you do decide to use one, always remember to log out when you are done, and when you return to your private computer, it may be worth changing your password. |
||
#Be careful when running user scripts. Some scripts can be programmed to steal cookies and thus compromise accounts. Be careful of scripts that contain the string <tt>document.cookie</tt>. |
#Be careful when running user scripts. Some scripts can be programmed to steal cookies and thus compromise accounts. Be careful of scripts that contain the string <tt>document.cookie</tt>. |
||
#Be careful when running executables (vandalism patrollers, editing tools, etc). Some claim to help make editing easier, but can actually contain viruses that steal your password. |
#Be careful when running executables (vandalism patrollers, editing tools, etc). Some claim to help make editing easier, but can actually contain viruses that steal your password. A [[packet sniffer]] may help detect if your password is being sent to suspicious IPs. |
||
==Protection== |
==Protection== |
||
Revision as of 22:57, 8 May 2007
Security on Wikipedia refers to the methods and principles employed to guard against potentially damaging actions taken by malicious or unqualified persons.
Passwords
All registered users have a password which works like any login password. Passwords help ensure that someone does not masquerade as another editor. Editors must use a strong password to avoid being blocked for bad edits by someone who guesses or "cracks" others editors' passwords.
Some actions on Wikipedia can only be carried out by privileged editors. The most common kind of privilege is adminship. It is especially important that privileged editors have strong passwords. Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have weak passwords will have their privileges removed on grounds of site security. If an editor's password can be cracked by someone running one of the many quite sophisticated open source password crackers available on the internet, editing and other privileges will be removed before someone "borrows" it for malicious purposes. Before the removal of these privileges, editors with weak passwords will be contacted and given a chance to change to a strong password. If privileges are removed because of a weak password, said privileges will be automatically returned once the password is strengthened.
Although the definition of "strong password" is deliberately left unspecified, privileged editors are required to use strong passwords and are informed that the developers will try to crack their passwords.
Administrators should make a second account without administrator abilities if they want to edit Wikipedia in public places such as a library. When editing on a semi-public computer, such as a computer at work, it is a best practice to log out of Wikipedia when leaving the workstation.
Editors should use different passwords for every system on which they have an account. That helps mitigate compromises (if one account is compromised, other accounts are not also automatically compromised).
Password security tips
Here are some tips that editors should consider to reduce the likelihood that their accounts may be compromised:
- Never give your Wikipedia password to anyone, not even Wikimedia staff.
- Only enter your password on a Wikimedia site. Beware of fake sites that resemble Wikimedia sites. Users should check that their browser is on a Wikimedia domain.
- Also, your Wikimedia passwords should be different from passwords used elsewhere.
- Keep your computer up-to-date with the latest anti-virus software.
- Your password should be easy to remember, but hard to guess. "Password" is not a secure password, but ".h$e9b2p3" is (however, do not use this as a password, since it has been divulged as an example). See also Keys to a Strong Password.
- Avoid using public computers to edit, but if you do decide to use one, always remember to log out when you are done, and when you return to your private computer, it may be worth changing your password.
- Be careful when running user scripts. Some scripts can be programmed to steal cookies and thus compromise accounts. Be careful of scripts that contain the string document.cookie.
- Be careful when running executables (vandalism patrollers, editing tools, etc). Some claim to help make editing easier, but can actually contain viruses that steal your password. A packet sniffer may help detect if your password is being sent to suspicious IPs.
Protection
Sometimes pages may be protected to prevent their being vandalized. Protection is also sometimes used for other purposes such as "cooling down" edit wars or allowing editors to review the history of an article during some discussions on deletion review.
Blocking
Sometimes an editor, an IP address, or a range of IP addresses may be blocked to stop them damaging Wikipedia. Accounts that are compromised will be blocked immediately, regardless of the original standing of the editor.
Other security
This policy is not a tutorial on all the possible ways in which a Wikipedia account could be compromised. However, keeping a secure account is each editor's responsibility. Editors are required to take security seriously. Compromised accounts will be immediately blocked and any associated group settings will be revoked. Administrators and other privileged editors may have to reapply to regain those privileges. Uncompromised accounts found to have weak passwords may also be locked out by their password being changed. If you have no registered email address, this may result in your account becoming irrevocably locked.