About account security
To help keep your account secure, we recommend the following best practices:
- Use a strong password that you don’t reuse on other websites.
- Use two-factor authentication.
- Require email and phone number to request a reset password link or code.
- Be cautious of suspicious links and always make sure you’re on twitter.com before you enter your login information.
- Never give your username and password out to third parties, especially those promising to get you followers, make you money, or verify you.
- Make sure your computer software, including your browser, is up-to-date with the most recent upgrades and anti-virus software.
- Check to see if your account has been compromised.
Password strength
Create a strong and unique password for your Twitter account. You should also create an equally strong and unique password for the email address associated with your Twitter account.
Do’s:
- Do create a password at least 10 characters long. Longer is better.
- Do use a mix of uppercase, lowercase, numbers, and symbols.
- Do use a different password for each website you visit.
- Do keep your password in a safe place. Consider using password management software to store all of your login information securely.
Don’ts:
- Do not use personal information in your password such as phone numbers, birthdays, etc.
- Do not use common dictionary words such as “password”, “iloveyou”, etc.
- Do not use sequences such as ”abcd1234”, or keyboard sequences like “qwerty”.
- Do not reuse passwords across websites. Your Twitter account password should be unique to Twitter.
Additionally, you can select Require personal information to reset my password in your Account settings. If you check this box, you will be prompted to enter either your email address or phone number, or your email address then phone number if both are associated with your account to send a reset password link or confirmation code if you ever forget it.
Use two-factor authentication
Two-factor authentication is an extra layer of security for your account. Instead of relying on a password only, two-factor authentication introduces a second check to help make sure that you, and only you, can access your Twitter account. Only people who have access to both your password and your mobile phone (or a security key) will be able to log in to your account.
Read our article on two-factor authentication to learn more.
Check that you're on twitter.com
Phishing is when someone tries to trick you into giving up your Twitter username, email address or phone number and password, usually so they can send out spam from your account. Often, they’ll try to trick you with a link that goes to a fake login page. Whenever you are prompted to enter your Twitter password, take a quick look at the URL in the address bar of your browser to make sure you're on twitter.com. Additionally, if you receive a Direct Message (even from a friend) with a URL that looks odd, we recommend you do not open the link.
Phishing websites will often look just like Twitter's login page, but will actually be a website that is not Twitter. Twitter domains will always have https://twitter.com/ as the base domain. Here are some examples of Twitter login pages:
If you are ever unsure about a login page, go directly to twitter.com and enter your credentials there. If you think you may have been phished, change your password as soon as possible and visit our compromised account article for additional instructions.
Read about fake Twitter emails for more information about phishing through email.
We won't contact you asking for your password
Twitter will never ask you to provide your password via email, Direct Message, or reply.
We will never ask you to download something or sign-in to a non-Twitter website. Never open an attachment or install any software from an email that claims to be from us; it's not.
If we suspect your account has been phished or hacked, we may reset your password to prevent the hacker from misusing your account. In this case, we'll email you a twitter.com password reset link.
If you forget your password, you can reset it via this link.
New and suspicious login alerts
If we detect a suspicious login or when you log in to your Twitter account from a new device for the first time, we will send you a push notification within the Twitter app, or via email as an extra layer of security for your account. Login alerts are only sent following new logins through Twitter for iOS and Android, twitter.com, and mobile web.
Through these alerts, you can verify that it was you who logged in from the device. If you did not log in from the device, you should follow the steps in the notification to secure your account, starting by changing your Twitter password immediately. Please note that the location listed in the notification is an approximate location derived from the IP address you used to access Twitter, and it may be different from your physical location.
Note: If you log in to your Twitter account from incognito browsers or browsers with cookies disabled, you will receive an alert each time.
Email address update alerts
Any time the email address associated with your Twitter account is changed, we will send an email notification to the previously-used email address on your account. In the event your account is compromised, these alerts will help you take steps to regain control of your account.
Evaluating links on Twitter
Many Twitter users post links using URL shorteners, like bit.ly or TinyURL, to create unique, shortened links that are easier to share in Tweets. However, URL shorteners can obscure the end domain, making it difficult to tell where the link goes to.
Some browsers, like Chrome and Firefox, have free plug-ins that will show you the extended URLs without you having to click on them:
In general, please use caution when clicking on links. If you click on a link and find yourself unexpectedly on a page that resembles the Twitter login page, do not enter your username and password. Instead, go to twitter.com and log in directly from the Twitter homepage.
Keep your computer and browser up-to-date and virus-free
Keep your browser and operating system updated with the most current versions and patches—patches are often released to address particular security threats. Be sure to also scan your computer regularly for viruses, spyware, and adware.
If you're using a public computer, make sure you sign out of Twitter when you're done.
Select third-party applications with care
There are many third-party applications built on the Twitter platform by external developers that you can use with your Twitter account(s). However, you should be cautious before giving third-party applications access to your account.
If you wish to grant a third-party application access to your account, we recommend that you only do so using Twitter’s OAuth method. OAuth is a secure connection method and doesn’t require you to give your Twitter username and password to the third party. You should be particularly cautious when you're asked to give your username and password to an application or website, as third-party applications don’t need your username and password to be granted access to your account via Oauth. When you give your username and password to someone else, they have complete control of your account and can lock you out or take actions that cause your account to be suspended. Learn about connecting or revoking third-party applications.
We suggest you review third-party applications that have access to your account from time to time. You can revoke access for applications that you don't recognize or that are Tweeting on your behalf by visiting the Applications tab in your account settings.