Make sure you have a password

• Longer passwords are better: a minimum of eight alphanumeric characters is usually suggested, with mixed cases in the alphabetic characters.
• Do not use birth dates, family names, phone/social security/passport/id numbers, or any other information tied personally to you or someone you know.
• Do not use words that may appear in any dictionary (i.e., no foreign words either).
• Use nonsensical strings of characters (i.e., not dictionary words) and ideally randomly chosen ones only. Use a mnemonic if necessary; for example, "My First Cousin Al lives in Denver" is an aid to remember "M1CA11inD" (note the use of 1 instead of L). However, this specific character string is not suited as a password -- but see below.
• Do not use a password that has been used as an example of a good one (like "M1CA11inD", which appears above).
• Use spaces, punctuation, special characters or symbols, such as =, #, /, or ©. These are permitted in all Wikimedia log-ins.
• See password strength for explanations and more tips.

Our system allows you to use a passphrase rather than just a single word. If your password is long enough you can ignore many of the common tips like avoiding dictionary words. For example "twig let iffy date ron carl" is a password which is very strong even though it contains dictionary words.

In addition to selecting a strong password, there are many precautions you should take to prevent your account from becoming hijacked.

As a general rule of thumb, you should never edit from a public computer, such as those in libraries or schools. If you feel that you absolutely must log-in to your Wikimedia account, please be sure to abide by the following:

• Create a separate account for use on public computers, or just edit without logging in. This account should have a password and e-mail that is distinct from your main account, and you should place a notice on the account's userpage indicating that it is your alternate account.
• You should never log into an account with Sysop, CheckUser, Oversight, or other privileges on a public computer.
• Be sure to log out when you are finished, and also make sure you clear your cookies and cache.
• Beware of shoulder surfers when logging in.

Additionally, there are many steps that should be taken to ensure "good computer hygiene" at home, namely:

• Protect your own computer log-in account with a password, and set it up to automatically log-off after a brief period of inactivity, if possible.
• Do not use toolbars or Browser Helper Objects (BHOs) supplied by untrusted third parties. Use cautious settings for software even from typically trusted vendors, such as Google, Yahoo, Microsoft, or Symantec, if you must use such add-ons.
• If you have your browser set to remember your password, make sure the browser password manager has a strong master password (Firefox users have this ability), or clear the password memory before shutting down. Preferably, your browser should be set to use your operating system's password manager, which should also have a strong password and use strong encryption. For more on password managers, see w:Password manager.
• Avoid writing your password or username down, but if you must, never do so in the same ___location -- either a physical one or a computer file.
• Do not use the same password on different websites. In particular, do not use your wiki password for mailing lists or IRC channels, as these tend to be far less secure.
• Keep and maintain a good, well known firewall and anti-virus program such as Zone Alarm, Norton Internet Security, or McAfee Security Center. There are many other options out there, but these are three major ones. Consult a PC repair professional or retail salesperson in your area for more advice and information.

Phishing is a method of account hijacking that is becoming increasingly more common. It involves the use of e-mails and web pages designed to fool users into thinking that information is requested from them by an authority they trust. An example of a phishing attempt would be a page that looks exactly like the Wikipedia log-in page, but when you click "submit" you send your username and password not to Wikimedia's servers, but to a phisherman's inbox. Here are a few steps you can take to help protect yourself from phishing:

• Always double-check the URL on any page on which you submit a password. For example, if you are logging into the English Wikipedia, you should always ensure that you are currently viewing http://en.wikipedia.org/wiki/Special:Userlogin .
• Be wary even of pages on Wikimedia wikis. As they are all open content, it's not inconceivable that a phishing attempt may appear on, for instance, a Wikipedia page.
• Never give out your password to anyone, even if you are positive that they are employees of the Wikimedia Foundation. No one with the foundation should ever ask for your password or other personal information.
• Use caution when following hyperlinks, especially those found in emails or on untrustworthy websites. If the site is one in which you will enter a password or any other personal information, travel to it using a bookmark or by typing what you know to be the correct URL into the address bar, if possible. Hovering over a link with your mouse and checking at the URL that appears in your status bar offers some protection, but the URL in the status bar can be easily forged, so this method is by no means foolproof. To be sure what site a link is pointing to, check the source code. Finally, some software automatically turns plain text URLs into links for convenience. This allows phishermen to trick people by making a hyperlink to a phishing site that looks like a plain text URL of a trusted site that an application, such as your email program, has made into a hyperlink. Unless the status bar information has been forged, such a link can be identified by hovering your mouse over the link. If you are sure that the URL is correct, you can safely type or paste it into the address bar.
• If you believe your password may have been phished, please attempt to log-in to your account and change your password. If you are unable to log-in, notify a developer, administrator, or other trusted member of your wiki immediately that your account has been compromised. You will not face any repercussions for having your account hijacked, other than a temporary suspension of your account.

Editing from a wireless network makes it much easier to intercept your password if the proper precautions are not taken because all transmissions are broadcast. Therefore, when editing from one of them, use these precautions:

• Make sure that your network is protected by WPA2 or WPA2-PSK using the AES encryption method, or a VPN if possible. If you control the base station hardware, and it does not support WPA2, it should be replaced or upgraded with a firmware that adds support for WPA2.
• If your operating system is Windows XP, get it patched to support WPA2 with this patch from Microsoft. Note that this patch requires Windows XP Service Pack 2.
• If you cannot replace or upgrade your hardware to support WPA2, use WPA using AES if possible.
• If you must use hardware that does not support AES, use WPA using TKIP encryption. Note that WPA (using the default TKIP encrypiton method) and WPA2 using TKIP encryption and not its default of AES encryption, can fall to a DoS attack because its authentication mechanism, Michael, while made as strong as possible given the old hardware constraints, is considered weak enough that if it detects forged frames, it is likely that other forged frames that are able to slip by Michael are present, and will temporarily shut down the network rather than let the attacker continue cracking the network.
• If you are using hardware that cannot be upgraded to support WPA, it should be replaced. There is nothing like having someone use your WLAN to download child porn or perform other illegal activities, having the IP address get traced to you, and getting arrested for someone else's crimes. WEP can often be cracked in under one minute, so it offers practically no protection at all against this scenario.
• If you are using WPA-PSK or WPA2-PSK, make sure that the passphrase on the network is sensible. Weak passwords allow WPA-PSK and WPA2-PSK to fall to dictionary attacks.
• If you must edit using an unencrypted or WEP-protected Wi-Fi network, use the secure server URL for your project. For example, the secure server URL for the English Wikipedia is https://secure.wikimedia.org/wikipedia/en/wiki/.

Essentially, it comes down to care and good sense. Taking simple measures to combat account hijacking will keep you from becoming the next rogue editor and losing your editing and/or sysop privileges for good.

• Wikipedia:Security