Contents 1 Why accounts become compromised 1.1 Weak password 1.2 Strong and weak passwords 2 Counter-measures 2.1 Two-factor authentication (2FA) 2.2 Other security practices 2.3 Email account security 3 After being compromised 4 See also


Why accounts become compromised[edit] Both weak and strong passwords are vulnerable, although strong passwords are better. Although this is written with Wikipedia in mind, most of this is applicable to other website accounts. Weak password[edit] Weak passwords are especially vulnerable. Weak passwords are also vulnerable to techniques used on strong passwords. Brute-force attacks Infiltrators try numerous passwords, often in an automated fashion, until they happen across the correct password. Although on Wikipedia there are limitations in the amount of login attempts over a given time period, users are still vulnerable if they use weak passwords, especially commonly used passwords. Countermeasures are a maximum of 5 logins every 5 minutes, with no more than 150 attempts allowed every 48 hours. A record is also kept of every failed login attempt. Hacked website with stolen details There is little the user can do about data breaches from websites. Although strong passwords may also be vulnerable if this happens, weak passwords are much more easily decrypted if the website uses encryption to encrypt its password database. Strong and weak passwords[edit] Even strong passwords can easily become vulnerable. But they are much better than weak passwords, principally as they discourage brute-force attacks, and they make hacked websites much less vulnerable to password theft. Password sharing for multiple uses Passwords are highly vulnerable if re-used on different sites. If one website is hacked, and the password hash is broken or the passwords were not stored securely, all the other sites with the same password are vulnerable. The same goes for other forms of passwords breaches. Similar passwords for multiple uses If similar passwords are used on multiple websites, the hacker may be able to guess the correct password for a different use, however strong the password is. This may include a brute-force method. Insecure email - password resetting etc. Many services, including Wikipedia, allow users to reset a forgotten password by requesting a reset link be sent to their registered email address. If your email account is somehow compromised, an attacker can use it to gain control of other accounts you have. You should therefore secure your email account that receives reset links at least as well as any passwords that might need resetting. Gmail and Fastmail (and probably others) support 2FA and you should probably use it if you receive sensitive email or password resets. If 2FA is too inconvenient for everyday email, you might set up a separate 2FA-protected mailbox just for reset links and other sensitive material. Insecure computers and devices - keystroke logging, cookie hijacking etc. Logging in on insecure computers or devices, especially ones for public use, can lead to passwords being stolen. The password is copied when it is entered to logon to a website by a malicious program called a key-logger, or a HTTP cookie allowing account access is stolen from a vulnerable computer's browser. If passwords are stored electronically it may be possible to hack them if the device or program used are insecure. Insecure networks - packet sniffing etc. Insecure networks are generally secure from password theft, as long as HTTPS is used by the website. Wikipedia uses HTTPS for connections. But passwords transferred in an unencrypted manner are vulnerable, and rogue networks may infiltrate a computer with lax security. Cloud storage of passwords may be a vulnerability if they are not encrypted properly. Inadvertent or unwise password sharing This may be from following a link from a fake email, to direct you to a fake website in a so-called phishing attack. Sharing your password with someone dubious could happen many different ways. This doesn't have to be the end-user; password sharing may happen with the website provider. Social engineering Phishing is not the only risk, attackers can trick you into running malicious code in the browser, sending browser cookies to the attacker or to do something dangerous without you know it. To stay protected, never ever do the instructions of the attacker, that means you shouldn't run unknown code or send any browser data like cookies. Other password stealing Even physically stored passwords are vulnerable to theft and copying. Thus even strong passwords can be rendered useless unless properly secured.


Counter-measures[edit] Further information: Wikipedia:User account security and Wikipedia:Personal security practices There are a variety of measures that can decrease the likelihood of becoming compromised. Two-factor authentication (2FA)[edit] Two-factor authentication (2FA) This is a very effective and relatively simple measure. Now available to holders of advanced permissions, with work under way to expand availability to other users in the future. Very useful as it provides a different password each time to thwart key-loggers and other password compromises, and requires access to particular device(s). Bot passwords Useful for using programs like AutoWikiBrowser with 2FA enabled. See mw:Manual:Huggle/Bot passwords and Wikipedia:Using AWB with 2FA for information on this. Other security practices[edit] Other measures, especially pertinent if not using 2FA. Strong passwords An important but not invulnerable technique. Recommended for all, but a requirement for holders of advanced permissions. Committed identity Very useful in proving a compromised account has been returned to a legitimate owner. Completely different strong passwords for all websites Password sharing greatly increases vulnerability, even with strong passwords. Using similar passwords can also be a risk. Password managers are invaluable for storing collections of complex passwords instead of needing to remember them. Using a different account for public or insecure computers This is especially relevant if the user holds advanced permissions. Regular password changing The more often passwords are changed the less likely they will become vulnerable. Change it at Special:ChangeCredentials High computer, device and network security Computers and other devices used to logon to Wikipedia should be kept secure, especially though the use of anti-virus programs and firewalls. Only trusted software should be downloaded and installed. Computers in shared spaces should be locked before being left. Configure modem/router firewall features correctly. High password security Never share passwords, even with staff members. No one else should ever need to know them. Store passwords securely, and change them if there is any chance they have become compromised. None of these techniques are foolproof, but a combination of techniques can greatly reduce the chance of a compromised account. Email account security[edit] Using these measures with your email account As described above, access to your email account may allow access to websites that use email based password resetting


After being compromised[edit] A typical result of having your account compromised is to have the account either blocked or locked (a lock is a global block from all Wikimedia projects) to prevent further discruption. Although administrators on Wikipedia may be able to help, the WMF Support and Safety team and stewards may also be contacted. No access to your account If you are shut out from your account from a password change, a password reset may help you gain access again. But if the email has been changed this will not be possible. Logs of email changes are kept for admin accounts, which may help in establishing account ownership. Your account is blocked This is a likely consequence of an account being compromised. As it may not be possible to prove that an account has been returned you may have to start afresh. Having a committed identity is one of the few ways that you can prove that you are the user in question, but without this it may be very difficult to prove accounts have been returned to their rightful owner. Your extra access may be removed Special user groups may be temporarily removed from your account until you are back in control of it. Your account has been globally locked See meta:Global locks for information on how to contact stewards.


See also[edit] Wikipedia:Personal security practices Wikipedia:User account security Help:Two-factor authentication Wikipedia:Simple 2FA Wikipedia:Using AWB with 2FA mw:Manual:Huggle/Bot passwords Template:Committed identity Category:Compromised accounts v t e Wikipedia accounts and governance Unregistered (IP) users Why create an account? Create an account Request an account IPs are human too IP addresses are not people IP hopper Registered users New account Logging in Reset passwords Username policy Changing username Usernames for administrator attention Unified login or SUL Alternate account Account security Password strength requirements User account security Personal security practices Two-factor authentication Simple 2FA 2FA for AWB Committed identity On privacy, confidentiality and discretion Compromised accounts Blocks, global locks, bans, sanctions Blocking policy FAQ Admins guide Tools Autoblock Appealing a block Guide to appealing blocks UTRS Unblock Ticket Request System Blocking IP addresses Range blocks IPv6 Open proxies Global locks Banning policy ArbCom appeals Sanctions Personal sanctions General sanctions Discretionary sanctions and Log Essay Long-term abuse Standard offer Related to accounts Sock puppetry Single-purpose account Sleeper account Vandalism-only account Wikibreak Enforcer Retiring Courtesy vanishing Clean start Quiet return User groups and global user groups Requests for permissions Admin instructions Admin guide Account creator PERM Autopatrolled PERM AutoWikiBrowser PERM Confirmed PERM Extended confirmed PERM Edit filter helper File mover PERM Mass message sender PERM New page reviewer PERM Page mover PERM Pending changes reviewer PERM Rollback PERM Template editor PERM IP-block-exempt Requests Courses access Requests Bot accounts Requests Global rights policy OTRS Volunteer Response Team Advanced user groups Administrators RfA Bureaucrats RfB Edit filter manager Requests CheckUser and Oversight Requests Founder Committees and related Arbitration Committee Mediation Committee Bot approvals group Functionaries Clerks Governance Administration FAQ Formal organization Editorial oversight and control Quality control Wikimedia Foundation Board Founder's seat Meta-Wiki Leadership opportunities WikiProjects Elections Policies and guidelines Unbundling administrators' powers Petitions Noticeboards Consensus Dispute resolution Reforms Retrieved from "https://en.wikipedia.org/w/index.php?title=Wikipedia:Compromised_accounts&oldid=775398763" Categories: Wikipedia information pages


Navigation menu Personal tools Not logged inTalkContributionsCreate accountLog in Namespaces Project pageTalk Variants Views ReadEditView history More Search Navigation Main pageContentsFeatured contentCurrent eventsRandom articleDonate to WikipediaWikipedia store Interaction HelpAbout WikipediaCommunity portalRecent changesContact page Tools What links hereRelated changesUpload fileSpecial pagesPermanent linkPage informationWikidata item Print/export Create a bookDownload as PDFPrintable version Languages Add links This page was last edited on 14 April 2017, at 16:54. Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. Privacy policy About Wikipedia Disclaimers Contact Wikipedia Developers Cookie statement Mobile view (window.RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgPageParseReport":{"limitreport":{"cputime":"0.112","walltime":"0.153","ppvisitednodes":{"value":273,"limit":1000000},"ppgeneratednodes":{"value":0,"limit":1500000},"postexpandincludesize":{"value":38403,"limit":2097152},"templateargumentsize":{"value":50,"limit":2097152},"expansiondepth":{"value":9,"limit":40},"expensivefunctioncount":{"value":1,"limit":500},"entityaccesscount":{"value":0,"limit":400},"timingprofile":["100.00% 92.441 1 -total"," 69.94% 64.653 1 Template:Infopage"," 59.23% 54.755 1 Template:Ombox"," 18.07% 16.706 1 Template:Wikipedia_accounts"," 17.14% 15.846 1 Template:Shortcut"," 14.87% 13.748 1 Template:Navbox"," 11.65% 10.767 1 Template:See"," 6.83% 6.314 1 Template:Namespace_detect"]},"scribunto":{"limitreport-timeusage":{"value":"0.037","limit":"10.000"},"limitreport-memusage":{"value":1615795,"limit":52428800}},"cachereport":{"origin":"mw1333","timestamp":"20180218173916","ttl":1900800,"transientcontent":false}}});});(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgBackendResponseTime":87,"wgHostname":"mw1320"});});


Wikipedia:Compromised_accounts - Photos and All Basic Informations

Wikipedia:Compromised_accounts More Links

Wikipedia:Project NamespaceWikipedia:Policies And GuidelinesWikipedia:ConsensusWikipedia:ShortcutWikipedia:User Access LevelsWikipedia:Why Create An Account?Wikipedia:AdministratorsWikipedia:Blocking PolicyPassword StrengthBrute-force AttackData BreachCryptographic Hash FunctionDatabase EncryptionData BreachCryptographic Hash FunctionSelf-service Password ResetHelp:Reset PasswordEmailMulti-factor AuthenticationKeystroke LoggingSession HijackingHTTP CookiePacket SniffingHTTPSCloud StoragePhishing AttackSocial Engineering (security)PhishingSelf-XSSSession HijackingWikipedia:User Account SecurityWikipedia:Personal Security PracticesWikipedia:Simple 2FAWikipedia:AutoWikiBrowserWikipedia:Using AWB With 2FAWikipedia:Password Strength RequirementsTemplate:Committed IdentityPassword ManagerWikipedia:VALIDALTSpecial:ChangeCredentialsAnti-virus ProgramsFirewall (computing)Wikipedia:Administrators' NoticeboardHelp:Reset PasswordWikipedia:COMPROMISEDTemplate:Committed IdentityWikipedia:Personal Security PracticesWikipedia:User Account SecurityHelp:Two-factor AuthenticationWikipedia:Simple 2FAWikipedia:Using AWB With 2FATemplate:Committed IdentityCategory:Compromised AccountsTemplate:Wikipedia AccountsTemplate Talk:Wikipedia AccountsUser (computing)GovernanceWikipedia:User Access LevelsWikipedia:Why Create An Account?Special:CreateAccountWikipedia:Request An AccountWikipedia:IPs Are Human TooWikipedia:IP Addresses Are Not PeopleWikipedia:IP HopperWikipedia:New AccountHelp:Logging InHelp:Reset PasswordWikipedia:Username PolicyWikipedia:Changing UsernameWikipedia:Usernames For Administrator AttentionWikipedia:Unified LoginWikipedia:Sock PuppetryWikipedia:Password Strength RequirementsWikipedia:User Account SecurityWikipedia:Personal Security PracticesHelp:Two-factor AuthenticationWikipedia:Simple 2FAWikipedia:Using AWB With 2FATemplate:Committed IdentityWikipedia:On Privacy, Confidentiality And DiscretionWikipedia:Blocking PolicyWikipedia:FAQ/BlocksWikipedia:Administrators' Guide/BlockingWikipedia:Administrators' Guide/Blocking/ToolsWikipedia:AutoblockWikipedia:Appealing A BlockWikipedia:Guide To Appealing BlocksWikipedia:Unblock Ticket Request SystemWikipedia:Blocking IP AddressesWikipedia:Open ProxiesWikipedia:Banning PolicyWikipedia:Arbitration Committee/Ban AppealsWikipedia:SanctionsWikipedia:Editing RestrictionsWikipedia:General SanctionsWikipedia:Arbitration Committee/Discretionary SanctionsWikipedia:Arbitration Enforcement LogWikipedia:Sanctions (essay)Wikipedia:Long-term AbuseWikipedia:Standard OfferWikipedia:Sock PuppetryWikipedia:Single-purpose AccountWikipedia:Sleeper AccountWikipedia:Vandalism-only AccountWikipedia:WikibreakWikipedia:WikiProject User Scripts/Scripts/WikiBreak EnforcerWikipedia:RetiringWikipedia:Courtesy VanishingWikipedia:Clean StartUser:Worm That Turned/Quiet ReturnWikipedia:User Access LevelsWikipedia:Requests For PermissionsWikipedia:Requests For Permissions/Administrator InstructionsWikipedia:Administrators' Guide/Granting And Revoking User RightsWikipedia:Account CreatorWikipedia:Requests For Permissions/Account CreatorWikipedia:AutopatrolledWikipedia:Requests For Permissions/AutopatrolledWikipedia:AutoWikiBrowserWikipedia:Requests For Permissions/AutoWikiBrowserWikipedia:User Access LevelsWikipedia:Requests For Permissions/ConfirmedWikipedia:User Access LevelsWikipedia:Requests For Permissions/Extended ConfirmedWikipedia:Edit Filter HelperWikipedia:File MoverWikipedia:Requests For Permissions/File MoverWikipedia:Mass Message SendersWikipedia:Requests For Permissions/Mass Message SenderWikipedia:New Pages Patrol/ReviewersWikipedia:Requests For Permissions/New Page ReviewerWikipedia:Page MoverWikipedia:Requests For Permissions/Page MoverWikipedia:Reviewing Pending ChangesWikipedia:Requests For Permissions/Pending Changes ReviewerWikipedia:RollbackWikipedia:Requests For Permissions/RollbackWikipedia:Template EditorWikipedia:Requests For Permissions/Template EditorWikipedia:IP Block ExemptionWikipedia:Unblock Ticket Request SystemWikipedia:User Access LevelsWikipedia:Education NoticeboardWikipedia:Bot PolicyWikipedia:Bots/Requests For ApprovalWikipedia:Global Rights PolicyWikipedia:Volunteer Response TeamWikipedia:AdministratorsWikipedia:Requests For AdminshipWikipedia:BureaucratsWikipedia:Requests For AdminshipWikipedia:Edit FilterWikipedia:Edit Filter NoticeboardWikipedia:CheckUserWikipedia:OversightWikipedia:Arbitration Committee/CheckUser And OversightWikipedia:Role Of Jimmy WalesWikipedia:CommitteesWikipedia:Arbitration CommitteeWikipedia:Mediation CommitteeWikipedia:Bot Approvals GroupWikipedia:FunctionariesWikipedia:Sockpuppet Investigations/SPI/ClerksWikipedia:AdministrationWikipedia:AdministrationWikipedia:FAQ/AdministrationWikipedia:Formal OrganizationWikipedia:Editorial Oversight And ControlWikipedia:Quality ControlWikipedia:Wikimedia FoundationWikipedia:Board Of TrusteesWikipedia:Founder's SeatWikipedia:MetaWikipedia:Leadership OpportunitiesWikipedia:WikiProjectWikipedia:ElectionsWikipedia:Policies And GuidelinesWikipedia:Unbundling Administrators' PowersWikipedia:List Of PetitionsWikipedia:NoticeboardsWikipedia:ConsensusWikipedia:Dispute ResolutionWikipedia:ReformsHelp:CategoryCategory:Wikipedia Information PagesDiscussion About Edits From This IP Address [n]A List Of Edits Made From This IP Address [y]View The Project Page [c]Edit This Page [e]Visit The Main Page [z]Guides To Browsing WikipediaFeatured Content – The Best Of WikipediaFind Background Information On Current EventsLoad A Random Article [x]Guidance On How To Use And Edit WikipediaFind Out About WikipediaAbout The Project, What You Can Do, Where To Find ThingsA List Of Recent Changes In The Wiki [r]List Of All English Wikipedia Pages Containing Links To This Page [j]Recent Changes In Pages Linked From This Page [k]Upload Files [u]A List Of All Special Pages [q]Wikipedia:AboutWikipedia:General Disclaimer



view link view link view link view link view link