You may remember a time before password standards, when passwords like “password” were used. As countless news stories have shown us since, those passwords were not ideal—but the recommended solution of creating complex passwords for each website has created problems of its own.[1]
Having one of your online accounts hacked can be a disruptive and disturbing experience. That’s why the Wikimedia Foundation’s Security team wants to make preventing that a little easier by updating our password policies (more on that at the bottom) and have put together six rules for selecting a good password.[2] We strongly encourage all current Wikimedia users to review the updated policy and current passwords to ensure that their account remains secure.
Rule #1: Favor length over complexity
When creating a password, pick something that is easy to remember but has a lot of characters and is made up from multiple words. I like to use a collection of thoughts and things to create a statement or phrase. This phrase could be nonsensical or something real.
For example, here’s a picture of a dog. If I were to create a password based on this image, it would be “That dog is standing in the violets and needs a shave!” This is a great password for these three reasons: it’s long, difficult to guess or crack, and easy to remember (because it’s true).
A more complex password with fewer characters, like D0gg@sRul3!, is tough to crack but much harder to create and to remember. Because it is hard to remember, it is also more likely to be recycled for use in other places, which is a bad idea and something we will cover in rule #5.
Rule #2: D0nt M@k3 1t h/\rd3r t#aN 1T hA5 t() %e! (Don’t make it harder than it has to be!)
Complexity is the enemy of security. From a credentialing standpoint, it encourages very bad habits. When we add more complexity to credentials, it makes it harder to remember passwords and strengthens the temptations to reuse the same credentials on multiple sites, which is a very bad idea (see rule #5). You can create a great password without making it super complicated.
Rule #3: Don’t change passwords just for the sake of changing them
Changing passwords for the sake of changing them enforces a couple of bad habits. Primarily, it encourages the selection of bad passwords (such as passwords that follow the seasons, like Summer2018 or Winter2018). This also encourages credential reuse—so e.g. when users get prompted to change their password, it’s easier to just use something you are are already using somewhere else. This is a bad idea (see rule #5).
You should change your password if you know or suspect that the account has been compromised. There are a couple places on the internet that can help you find that information, such as the website have i been pwned?.
Rule #4: Don’t use the name of the site, application or thing as part of the password
While incorporating the name of the site or application into your password creation process might be tempting, it’s not a great idea. This concept extends to products or services that site or application provides also. When you create credentials they should be unique and separate from the activity you are participating in. An example is if your password on Wikipedia is ‘i edit wikipedia,’ please change your password immediately.
Rule #5: Don’t reuse passwords
This rule has been mentioned in just about every other rule because it’s extremely important. Many of us go to lots of places on the internet, and that results in lots of credentials. That also means that it’s not super odd to create common credentials, reused across social media or banking or other sites. Often we’ve created a “good” strong password that we use it for sensitive sites, and a “ok” password that is used for less critical things.
Unfortunately, recycling passwords is pretty dangerous. Here’s a very common and oft-heard scenario:
- One of your favorite sites gets compromised. It’s one where you used your “good” password.
- A dump of user id’s and passwords from that compromise is posted someplace on the internet.
- Attackers use the list’s information, including your username and password, to try to break into other accounts on other sites.
- Suddenly, it’s not just the one account that’s compromised—it’s your banking and any number of other sensitive sites where you used those credentials.
It’s totally fair to say in response that you can’t remember that many passwords. I certainly can’t. This is why I encourage you to use a password manager, which securely stores all of your passwords. There are many options out there, both free and paid. Some examples are lastpass, keepass, and sticky password.[3]
Of course, please follow these rules when creating your password manager’s password—only use a strong, unique, and lengthy password. This is the only password you’ll have to remember!
Rule #6: Passwords are “ok”. A second factor is better!
Two-factor authentication, often shortened to 2FA, is a way of securing your accounts such that a user has to present two pieces of evidence before logging in. Most frequently, this is a password and a temporary code.
At this time, the Wikimedia Foundation offers two-factor authentication (2FA) only to accounts with certain privileged roles, though we are exploring 2FA options for all users.
That said, this rule is still good to keep in mind as you negotiate your way around the internet. Some examples of 2FA services you can use are Google Authenticator, YubiKey, or Authy.[3]
What about that new password policy?
Wikipedia is not immune to being targeted by password attacks. That’s why we’re implementing a new password policy, which will go into effect in early 2019 for newly created accounts. While existing users won’t be affected by this change, we strongly encourage everyone to review and follow the rules above to keep your account secure. If your password isn’t up to snuff, please come up with something new.
The new password policy will evaluate new credentials against a list of known compromised, weak or just poor passwords in general, and will enforce a minimum eight character password for any newly created account. The same is true for privileged accounts (Administrators, Bot admins, Bureaucrats, Check users, and others), but will enforce a minimum of ten characters.
You can find more information about these changes on MediaWiki.org.
Related, but separately, the Wikimedia Foundation’s Security team will also begin running regular password tests. These tests will look for existing weak passwords, and we will encourage everyone to protect their account by using a strong credential.
The Security team is committed to regular security awareness, so you’ll be seeing more content like this coming soon. Thank you for being an advocate for account security.
John Bennett, Director of Security
Wikimedia Foundation
• • •
Footnotes
- The National Institute of Standards and Technology believed that the solution was to create complex passwords for each website—but the more complex things became, the harder it was to meet the requirements and remember passwords. Inadvertently, the institute’s recommendations encouraged poor credential habits like passwords on post-it notes, or having a single ‘strong’ password and one that gets used for everything else.
- For a litany of reasons that I won’t get into here, the word ‘password’ is a bit dated. Going forward, ‘passphrase’ is really a better way to think about all of this. I’d like to keep things simple, though, so we’ve used ‘password’ for this post.
- These are examples and not endorsed by the Wikimedia Foundation.