All registered users have to log in using a password before they can edit using their usernames. Passwords help ensure that someone does not masquerade as another editor. Editors should use a strong password to avoid being blocked for bad edits by someone who guesses or "cracks" other editors' passwords. Users may access their account's preferences to change their password.

Password strength requirements are explained in the password policy. For normal users, those requirements are enforced when an account is created and when a password is changed.

You should have a password that:

• is at least eight characters (ten for privileged accounts);
• has a mixture of upper and lowercase letters and numbers;
• avoids dictionary words, given or last names, or personal information (date of birth, cat's name, etc.);
• is not used on any other website.

Do this, and your password is likely to be reasonably strong. The last point is important—do not use a password to log in at Wikipedia if you use that password on any other website. Many websites where users log in have had security breaches and lists of hacked user names and passwords are publicly available. Those lists are periodically used in attempts to take over user accounts at Wikipedia.

If logging in at a public computer or using a public WiFi network, be aware that malicious software or hardware might capture your password.

Accounts that appear to have been compromised may be blocked without warning; administrators will generally not unblock such accounts without evidence that their rightful owners solely control them.

Changing your password

Click on "Preferences" at the top right hand corner of the page.

What to do when your account has been compromised

On Wikipedia, only certain users (including administrators) can perform some actions. It is especially important that these privileged editors have strong passwords. Administrators, bureaucrats, checkusers, stewards and oversighters discovered to have weak passwords, or to have had their accounts compromised by a malicious person, may have their accounts blocked and their privileges removed on grounds of site security. In certain circumstances, the revocation of privileges may be permanent. Discretion on resysopping temporarily desysopped administrators is left to the bureaucrats, provided they can determine that the administrator is back in control of the previously compromised account.

As of December 2015, users with advanced permissions are formally required to maintain a password that meets certain specific requirements and may have their passwords audited by the Wikimedia Foundation.

Although users with other specialized functions (such as template editor) are not formally required to maintain strong passwords or have them audited, they are still strongly encouraged to do so.

Wikimedia's implementation of two-factor authentication (2FA) is a way of strengthening the security of your account. If you enable two-factor authentication, every time you log in you will be asked for a one-time six digit number in addition to your password. This number can be provided by an app on your smartphone or other authentication device. In order to login you must know your password and have your authentication device available to generate the code.

Enrolling

To set up two-factor authentication:

• This action is currently limited to administrators, bureaucrats, oversighters, checkusers, edit filter managers, and interface administrators. Other users may request 2FA at Steward requests/Global permissions on Meta.
• First you must have or install a Time-based One-time Password Algorithm (TOTP) client. For most users, this will be a phone or tablet application. Google Authenticator is a popular example ^{Android iOS}, along with other implementations of it.
• Next go to Special:OATH (this link is also available from your preferences).
• Special:OATH presents you with a QR code containing the two-factor account name and two-factor secret key. This is needed to pair your client with the server.
• Scan the QR code with, or enter the two-factor account name and key into, your TOTP client.
• Enter a verification code from your TOTP client into the OATH screen to complete the enrollment.

For advice on personal security, including passwords, see Wikipedia:Personal security practices and Keys to a Strong Password.

Users are encouraged to provide an email address in their preferences, as this enables them to reset their password via email if necessary. (Providing an email address also makes possible communications with other users via email; this can be disabled in preference by unchecking the option "Enable e-mail from other users".)

• Wikipedia:Avoid scams
• Wikipedia:Blocking policy
• Wikipedia:Password strength requirements
• Password strength
• Don't leave your fly open
• Wikipedia:Committed identity
• Wikipedia:FAQ/Technical (how to recover password)
• Wikipedia:Wikipedia Signpost/2006-02-06/Password security
• Wikipedia:Wikipedia Signpost/2006-12-18/Technology report
• Wikipedia:Wikipedia Signpost/2007-05-07/Admins desysopped
• Wikipedia:Wikipedia Signpost/2010-08-02/Technology report
• Wikipedia:Wikipedia Signpost/2015-11-11/Discussion report
• Wikipedia:Village pump (proposals)/Account security