Protecting your digital identity

Most security breaches on the internet are related to stolen or weak passwords. We want to build upon the culture of security within the Wikimedia movement to protect accounts from being compromised. Having one of your online accounts hacked can be a disruptive and disturbing experience. That's why the Wikimedia Foundation's Security team wants to make preventing that a little easier by updating our password policies (more on that at the bottom) and have put together six rules for selecting a good password.We strongly encourage all current Wikimedia users to review the updated policy and current passwords to ensure that their account remains secure.

If you travel through the midst of internet time you may remember an era where passwords such as: “letmein” or ‘secret’ or even ‘password’ were used fairly commonly. The National Institute of Standards and Technology picked up on this and with the best intentions and a desire to better protect folks on the internet in mind, created a new standard for passwords. This new standard favored complexity as a means of securing access to your favorite sites, applications, and services.

With the notion of complexity being king, we human beings decided that if some complexity is good, more is probably better. The problem with that approach was the more complex things became the harder it was to meet the requirements and remember passwords which then encouraged poor credential habits like passwords on post-it notes, having a single ‘strong’ password and one that gets used for everything else.

Fast-forward to now, the rules have changed, and we will be changing our password requirements for Wikimedia (more on that in a bit). With those upcoming changes in mind, the Wikimedia Security team has put together 6 rules for selecting a good password.

Rule #1 Favor length over complexity
When creating a password pick something that is easy to remember but has a lot of characters and is made up from multiple words. I like to use a collection of thoughts and things to create a statement or phrase. This phrase could be nonsensical or something real.

For example, here’s a picture of my dog Jimmy. If we create a password from this picture…“That dog is standing in the violets and needs a shave!” -- this is a great password for a few reasons: it’s long, difficult to guess or crack, but it’s easy to remember because it’s true.

If we compare that to a more complex password with fewer characters such as D0gg@sRul3! it’s still tough to crack but that one is much harder to create and to remember and a lot more likely to be recycled for use in other places which is a bad idea and something we will talk more about when we get to rule #5.

Rule #2 D0nt M@k3 1t h/\rd3r t#aN 1T hA5 t %e! (Don’t make it harder than it has to be!)
Complexity is the enemy of security. From a credentialing standpoint, it encourages very bad habits. When we add more complexity to credentials, it makes it harder to remember passwords and strengthens the temptations to reuse the same credentials on multiple sites, which is a very bad idea (see rule #5). You can create a great password without making it super complicated.

Rule #3 Don’t change passwords just for the sake of changing them
Changing passwords for the sake of changing them enforces a couple of bad habits. Primarily, it encourages the selection of bad passwords (such as passwords that follow the seasons, like Summer2018 or Winter2018). This also encourages credential reuse—so e.g. when users get prompted to change their password, it's easier to just use something you are already using somewhere else. This is a bad idea (see rule #5).

You should change your password if you know or suspect that the account has been compromised. There are a couple places on the internet that can help you find that information, such as the website have i been pwned?.

Rule #4 Don’t use the name of the site, application or thing as part of the password
While incorporating the name of the site or application into your password creation process might be tempting, it’s not a great idea. This concept extends to products or services that the site or application provides also. When you create credentials they should be unique and separate from the activity you are participating in. An example is if your password on Wikipedia is 'i edit Wikipedia,' you should change your password.

Rule #5 Don’t reuse passwords
This rule has been mentioned in just about every other rule because it’s extremely important. Many of us go to lots of places on the internet, and that results in lots of credentials. That also means that it's not super odd to create common credentials, reused across social media or banking or other sites. Often we've created a “good” strong password that we use it for sensitive sites, and an "ok" password that is used for less critical things.

Unfortunately, recycling passwords is pretty dangerous. Here's a very common and oft-heard scenario:


 * Let’s say your favorite site gets compromised and on that site you used your “good” password.
 * A dump of user id’s and passwords from that compromise will absolutely find its way to and will be posted someplace on the internet.
 * Random ne’er-do-wellers pick up on this and use that information to compromise other sites and expand the compromise.
 * Now the scope of compromise for you is maybe not just your favorite site, but anyplace you used that credential.

It's totally fair to say in response that you can't remember that many passwords. I certainly can't. This is why I encourage you to use a password manager, which securely stores all of your passwords. There are many options out there, both free and paid. While the Wikimedia Foundation cannot endorse these, some examples to check out are lastpass, keepass, and sticky password.

Of course, please follow these rules when creating your password manager's password—only use a strong, unique, and lengthy password. This is the only password you'll have to remember!

Rule #6 Passwords are meh…a second factor is better!
Two-factor authentication, often shortened to 2FA, is a way of securing your accounts such that a user has to present two pieces of evidence before logging in. Most frequently, this is a password and a temporary code.

At this time, the Wikimedia Foundation offers two-factor authentication (2FA) only to accounts with certain privileged roles, though we are exploring 2FA options for all users. See m:Help:Two-factor authentication for details.

That said, this rule is still good to keep in mind as you negotiate your way around the internet. Some examples of 2FA services you can use are Google Authenticator, YubiKey, or Authy. See the link above for more examples and links.

You mentioned something about password policy changes?
Wikipedia is not immune to being targeted by password attacks. That's why we're implementing a new password policy, which will go into effect in early 2019 for newly created accounts. While existing users won't be affected by this change, we strongly encourage everyone to review and follow the rules above to keep your account secure. If your password isn’t up to snuff, please come up with something new.

The new password policy will evaluate new credentials against a list of known compromised, weak or just poor passwords in general, and will enforce a minimum eight character password for any newly created account. The same is true for privileged accounts (Administrators, Bot admins, Bureaucrats, Check users, and others), but will enforce a minimum of ten characters.

You can find more information about these changes on MediaWiki.org.

Related, but separately, the Wikimedia Foundation's Security team will also begin running regular password tests. These tests will look for existing weak passwords, and we will encourage everyone to protect their account by using a strong credential.

The Security team is committed to regular security awareness, so you'll be seeing more content like this coming soon.

Thank you for being an advocate for account security.