This is an
information page. It is not one of
Wikipedia's policies or guidelines; rather, its purpose is to explain certain aspects of Wikipedia's norms, customs, technicalities, or practices. It may reflect differing levels of
consensus and
vetting. |
Accounts on Wikipedia may be compromised (hacked) in a number of ways, allowing the misuse of user access levels, as well as user reputation for illegitimate purposes. It is important for users to take active steps to protect their accounts, especially those with high levels of access such as administrators. This may be done in a number of ways.
Users whose accounts are compromised may have access reduced or their accounts blocked or globally locked.
Both weak and strong passwords are vulnerable, although strong passwords are better. Although this is written with Wikipedia in mind, most of this is applicable to other website accounts.
Weak passwords are especially vulnerable. Weak passwords are also vulnerable to techniques used on strong passwords.
Even strong passwords can easily become vulnerable. But they are much better than weak passwords, principally as they discourage brute-force attacks, and they make hacked websites much less vulnerable to password theft.
Thus, even strong passwords can be rendered useless unless properly secured.
There are a variety of measures that can decrease the likelihood of an account becoming compromised.
Other measures, especially pertinent if not using 2FA.
None of these techniques are foolproof, but a combination them can greatly reduce the chance of a compromised account.
Through the Wikipedia:Notifications system, you will be alerted when someone attempts and fails to log in to your account. Multiple alerts are bundled into one for attempt from a new device/IP. For a known device/IP, you get one alert for every 5 attempts. If you suspect that someone else has tried to access your account, you may want to change your password anyway even if you do have a strong password.
Alerts notifying you of a successful login from a new device/IP are only available by email. Web notifications for successful logins from a new device/IP are currently disabled.
By default, the "failed login attempts" and "login from an unfamiliar device" notifications are on for everyone. This is configurable in the notifications preferences.
If you are reasonably certain that an account may be compromised, please contact:
Each group will end up contacting others during the process, either for confirmation or to perform local actions after the emergency has subsided. Advanced permissions may be removed for this portion of the case, if it is suspected that the agent(s) responsible for compromising the account are still trying to access it.
A typical result of having your account compromised is having the account either blocked or locked (a lock disables login from all Wikimedia projects) to prevent further disruption. Although administrators on Wikipedia may be able to help, the WMF Trust and Safety team may also be contacted. See above for details.
This is an
information page. It is not one of
Wikipedia's policies or guidelines; rather, its purpose is to explain certain aspects of Wikipedia's norms, customs, technicalities, or practices. It may reflect differing levels of
consensus and
vetting. |
Accounts on Wikipedia may be compromised (hacked) in a number of ways, allowing the misuse of user access levels, as well as user reputation for illegitimate purposes. It is important for users to take active steps to protect their accounts, especially those with high levels of access such as administrators. This may be done in a number of ways.
Users whose accounts are compromised may have access reduced or their accounts blocked or globally locked.
Both weak and strong passwords are vulnerable, although strong passwords are better. Although this is written with Wikipedia in mind, most of this is applicable to other website accounts.
Weak passwords are especially vulnerable. Weak passwords are also vulnerable to techniques used on strong passwords.
Even strong passwords can easily become vulnerable. But they are much better than weak passwords, principally as they discourage brute-force attacks, and they make hacked websites much less vulnerable to password theft.
Thus, even strong passwords can be rendered useless unless properly secured.
There are a variety of measures that can decrease the likelihood of an account becoming compromised.
Other measures, especially pertinent if not using 2FA.
None of these techniques are foolproof, but a combination them can greatly reduce the chance of a compromised account.
Through the Wikipedia:Notifications system, you will be alerted when someone attempts and fails to log in to your account. Multiple alerts are bundled into one for attempt from a new device/IP. For a known device/IP, you get one alert for every 5 attempts. If you suspect that someone else has tried to access your account, you may want to change your password anyway even if you do have a strong password.
Alerts notifying you of a successful login from a new device/IP are only available by email. Web notifications for successful logins from a new device/IP are currently disabled.
By default, the "failed login attempts" and "login from an unfamiliar device" notifications are on for everyone. This is configurable in the notifications preferences.
If you are reasonably certain that an account may be compromised, please contact:
Each group will end up contacting others during the process, either for confirmation or to perform local actions after the emergency has subsided. Advanced permissions may be removed for this portion of the case, if it is suspected that the agent(s) responsible for compromising the account are still trying to access it.
A typical result of having your account compromised is having the account either blocked or locked (a lock disables login from all Wikimedia projects) to prevent further disruption. Although administrators on Wikipedia may be able to help, the WMF Trust and Safety team may also be contacted. See above for details.