Keeping your account secure
We want Twitter to be a safe and open community. This help page provides some information and tips to help you practice safe Tweeting and keep your account secure. Here are some basics:
- Use a strong password.
- Use login verification.
- Watch out for suspicious links, and always make sure you’re on Twitter.com before you enter your login information.
- Never give your username and password out to untrusted third parties, especially those promising to get you followers or make you money.
- Make sure your computer and operating system is up-to-date with the most recent patches, upgrades, and anti-virus software.
We're working to improve our responses to security threats, but user accounts and computers can sometimes become compromised by phishing, hacks, or viruses. If you think your account has been compromised, please visit our help page for compromised accounts to find out how to fix it quickly!
You can help protect your account by following some easy precautions, discussed below.
Use a strong and unique password
In addition to creating a secure Twitter account password, you should also do the same for your email address associated with your Twitter account.
- Do create a password at least 10 characters long. Longer is better.
- Do use use a mix of uppercase, lowercase, numbers, and symbols.
- Do use a different password for each website you visit.
- Do keep your password in a safe place. Consider using password management software to store all of your login information securely.
- Do not use personal information in your password such as phone numbers, birthdays, etc.
- Do not use common dictionary words such as “password”, “iloveyou”, etc.
- Do not use sequences such as ”abcd1234”, or keyboard sequences like “qwerty”.
- Do not reuse passwords across websites. Your Twitter account password should be unique to Twitter.
Additionally, you can select “Require personal information to reset my password” in your Security and privacy settings. If you check this box, you will be prompted to enter your e-mail address or phone number to reset your password if you ever forget it.
For more info on selecting a secure password, check out these password tips from Google.
Use login verification
Login verification is a feature that helps you keep your account more secure. Instead of relying on just a password, login verification introduces a second check to make sure that you and only you can access your Twitter account. Only people who have access to both your password and your phone will be able to log in to your account.
For help setting up login verification on your account, visit our article about using login verification.
Always check that you're at twitter.com before logging in
Phishing is when someone tries to trick you into giving up your Twitter or email username and password, usually so they can send out spam to all your followers from your account. Often, they’ll try to trick you with a link that goes to a fake login page.
Be wary of weird links in DMs: Be cautious when clicking on odd links in DMs. Even if the link came from a friend, it's possible that their account was compromised and the URL was actually sent out by a spammer.
Make sure you're on Twitter.com before logging in: Whenever you are prompted to enter your Twitter password, just take a quick look at the URL and make sure you're actually on Twitter.com.
You can find the URL in the address bar of your browser. Twitter domains will always have the http://twitter.com/ as the base domain. Here are some examples of Twitter login pages:
Phishing websites will often look just like Twitter's login page, but will actually be a website that is not Twitter. Here are some examples of URLs that are NOT Twitter pages:
If you think you may have been phished, change your password as soon as possible and visit this help page for compromised accounts.
Log in directly at Twitter.com if you're unsure: If you’re ever uncertain of a website, just type Twitter.com into your browser bar, hit enter, and log in directly from our homepage.
We won't contact you asking for your password
Twitter will never ask you to provide your password via email, direct message, or @reply.
We will never ask you to download something or sign-in to a non-Twitter website. Never open an attachment or install any software from an email that claims to be from us; it's not.
If we suspect your account has been phished or hacked, we may reset your password to prevent the hacker from misusing your account. In this case, we'll email you a link to where you can reset your password. Again, this link will always be on the http://twitter.com/ website, and we will never ask you to provide your password via email, direct message, or @reply.
If you forget your password, you can reset it yourself at this link.
Tip: If you're getting password reset emails you didn't request, you might consider verifying a phone with your account to prevent other users from mistakenly typing your username into our password reset form. We always ask for phone number confirmation before we send any user-requested password reset emails.
Evaluating links on Twitter
Lots of links are shared on Twitter, and many are posted with URL shorteners. URL shorteners, like bit.ly or TinyURL, create unique, shortened links that redirect to your longer link so it can be more easily shared. URL shorteners can also obscure the end domain, making it difficult to tell where the link goes to.
Some browsers have free plug-ins that will show you the extended URLs without you having to click on them. Here are links to plug-ins for Internet Explorer and Firefox (which is a free-to-download browser):
In general, please use caution when clicking on links. If you click on a link and find yourself unexpectedly on a page that resembles the Twitter login page, don't give up your username and password! Just type in Twitter.com into your browser bar and log in directly from the Twitter homepage.
Keep your computer and browser up-to-date and virus-free
Keep your browser and Operating System updated with the most current versions and patches; patches are often released to address particular security threats. Be sure to also scan your computer regularly for viruses, spyware, and adware.
If you're using a public computer, like at a library or school, make sure you always sign out of Twitter when you're done (there's a "Sign Out" link in the upper right of the site).
Assist any compromised friends and followers
If you get a weird link from a follower that you think is a phishing site or a spam site, reach out and suggest they change their password right away. You can also send them to the help page for compromised accounts so they can get more information.
Select third-party applications with care
There are lots of third-party programs and applications you can use with your Twitter accounts. These applications are built on the Twitter platform by external developers and allow you to do an array of neat things with your account. However, you should be cautious before giving up control of your account to someone else.
There are two ways to grant an application access to your account. The first is a secure protocol called OAuth. This is our recommended connection method and doesn't require you to give out your username and password. The other way to connect requires you to give your Twitter username and password and is called Basic Authentication. You can find out more about OAuth and Basic Authentication on our Connecting to Third-Party Application help page.
You should be particularly cautious when you're asked to give your username and password to an application or website. When you give your username and password to someone else, they have complete control of your account and can lock you out or take actions that cause your account to be suspended. Be wary of any application that promises to make you money or get you followers. If it sounds too good to be true, it probably is!
Some legitimate applications do ask for your username and password. These include installed applications you use for tweeting from your desktop or mobile phone. Just be sure to research applications thoroughly before providing account access.
Revoke access for any third-party application that you don't recognize by visiting the Applications tab in Account Settings.