All registered users have to log in using a password before they can edit using their usernames. Passwords help ensure that someone does not masquerade as another editor. Editors should use a strong password to avoid being blocked for bad edits by someone who guesses or "cracks" other editors' passwords. Users may access their account's preferences to change their password.

As a rule of thumb, a password that is reasonably long, with a mix of upper and lowercase letters and numbers, and not mostly made up of dictionary words or names or personal information (date of birth, cat's name, etc.) is likely to be reasonably strong for everyday use. Passwords that consist of just lowercase letters can also be reasonably strong, but they must be significantly longer than passwords with more entropy per character; see this XKCD comic strip. However, it is left up to users to decide how strong a password they wish to use beyond this.

Having strong passwords is a necessary condition but not sufficient for strong computer security: for example when using public computers your account could be compromised by keyloggers.

Accounts that appear to have been compromised may be blocked without warning; administrators will generally not unblock such accounts without evidence that their rightful owners solely control them.

Be careful on public WiFi networks. Sometimes there may be people sniffing packets and looking at information. If you edit from a public WiFi network it is a good idea to use a VPN.

On Wikipedia, only certain users (including administrators) can perform some actions. It is especially important that these privileged editors have strong passwords. Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have weak passwords, or to have had their accounts compromised by a malicious person, may have their accounts blocked and their privileges removed on grounds of site security. In certain circumstances, the revocation of privileges may be permanent. Discretion on resysopping temporarily desysopped administrators is left to the bureaucrats, provided they can determine that the administrator is back in control of the previously compromised account.

As of December 2015, users with advanced permissions are formally required to maintain a password that meets certain specific requirements and may have their passwords audited by the Wikimedia Foundation.

For advice on personal security, including passwords, see Wikipedia:Personal security practices and Keys to a Strong Password.

Users are encouraged to provide an email address in their preferences, as this enables them to reset their password via email if necessary. (Providing an email address also makes possible communication with other users via email; this can be disabled in preferences by unchecking the option "Enable e-mail from other users".)

• Wikipedia:Blocking policy
• Password strength
• Don't leave your fly open
• Wikipedia:Secure server
• Wikipedia:Committed identity
• Wikipedia:Wikipedia Signpost/2006-02-06/Password security
• Wikipedia:Wikipedia Signpost/2006-12-18/Technology report
• Wikipedia:Wikipedia Signpost/2007-05-07/Admins desysopped
• Wikipedia:Wikipedia Signpost/2010-08-02/Technology report
• Wikipedia:Wikipedia Signpost/2015-11-11/Discussion report
• Wikipedia:Village pump (proposals)/Account security