Manual:Huggle/Bot passwords

Since MediaWiki implemented application passwords (called bot passwords) and deprecated standard API login, this feature was also implemented into Huggle and is now a recommended authentication method.

Bot passwords make access to your account through huggle more secure, because you never expose your real password and you can define access level it will have.

In order to use Bot passwords in huggle you first need to generate one. You can do so by visiting Special:BotPasswords.

It is recommended to give huggle following permissions if you want to use it in full extent:


 * High-volume editing
 * Edit existing pages
 * Edit your user CSS/JavaScript (required to store your options)
 * Create, edit, and move pages (required to warn users who don't have talk page yet)
 * Patrol changes to pages
 * Rollback changes to pages
 * Block and unblock users
 * Delete pages, revisions, and log entries
 * Protect and unprotect pages
 * View your watchlist
 * Edit your watchlist

Restricting huggle from any of these may result in random failures of various features it offers.

Why are they more secure?
Logging in over a password that has full access to your account is probably least secure method that should be avoided everywhere possible, not only in Huggle. The password as it is typed could be logged by keylogger virus or recorded in some other way. Someone could also in theory craft some malware-version of Huggle and offer to naive users who would run it and entered their password into it.

If someone steals your bot password, they can't do so much with it. Editing is possible only via API and they are far more restricted than if they were using your real password.

Why Huggle doesn't just use OAuth
Because it's a technology that was never designed with desktop applications in mind. OAuth was designed to allow web-based applications, to login to their own applications over another web server that hosts the credential database (in this case it's Wikimedia's central auth).

Each this web based application has its own secret that is located on a web server of provider and users can use this secret to verify the authenticity of application and through web callbacks, the authentication server can communicate the results of a login back to the website you want to login to.

Now, Huggle is not a web server, it's an application running on your system, there is no easy way to handle callbacks from OAuth server and the process is overly complex for something that could be done in much more simple way. The security features of OAuth don't bring anything useful for application that is running directly on your PC and that is fully under your control.