About account security

To help keep your account secure, we recommend the following best practices:

  • Use a strong password that you don’t reuse on other websites.
  • Use two-factor authentication.
  • Require email and phone number to request a reset password link or code.
  • Be cautious of suspicious links and always make sure you’re on twitter.com before you enter your login information.
  • Never give your username and password out to third parties, especially those promising to get you followers, make you money, or verify you.
  • Make sure your computer software, including your browser, is up-to-date with the most recent upgrades and anti-virus software.
  • Check to see if your account has been compromised.

Password strength

Create a strong and unique password for your X account. You should also create an equally strong and unique password for the email address associated with your X account.

Do’s:

  • Do create a password at least 10 characters long. Longer is better.
  • Do use a mix of uppercase, lowercase, numbers, and symbols.
  • Do use a different password for each website you visit.
  • Do keep your password in a safe place. Consider using password management software to store all of your login information securely.

Don’ts:

  • Do not use personal information in your password such as phone numbers, birthdays, etc.
  • Do not use common dictionary words such as “password”, “iloveyou”, etc.
  • Do not use sequences such as ”abcd1234”, or keyboard sequences like “qwerty.”
  • Do not reuse passwords across websites. Your X account password should be unique to X.

Additionally, you can select Password reset protection in your Account settings. If you check this box, you will be prompted to enter either your email address or phone number, or your email address then phone number if both are associated with your account to send a reset password link or confirmation code if you ever forget it. 

How to find your password reset settings
  1. Navigate to your main menu
  2. Tap Settings and privacy
  3. Tap Account
  4. Tap Security
  5. Toggle on Password reset protection
  1. Navigate to your App Settings
  2. Tap Account
  3. Tap Security
  4. Toggle Password reset protection
Use two-factor authentication



Two-factor authentication is an extra layer of security for your account. Instead of relying on a password only, two-factor authentication introduces a second check to help make sure that you, and only you, can access your X account. Only people who have access to both your password and your mobile phone (or a security key) will be able to log in to your account.

Read our article on two-factor authentication to learn more.



Check that you're on X.com


Phishing is when someone tries to trick you into giving up your X username, email address or phone number and password, usually so they can send out spam from your account. Often, they’ll try to trick you with a link that goes to a fake login page. Whenever you are prompted to enter your X password, take a quick look at the URL in the address bar of your browser to make sure you're on twitter.com. Additionally, if you receive a Direct Message (even from a friend) with a URL that looks odd, we recommend you do not open the link.

Phishing websites will often look just like X's login page, but will actually be a website that is not X. X domains will always have https://X.com/ as the base domain. Here are some examples of X login pages:


If you are ever unsure about a login page, go directly to twitter.com and enter your credentials there. If you think you may have been phished, change your password as soon as possible and visit our compromised account article for additional instructions. 

Read about fake X emails for more information about phishing through email.  



We won't contact you asking for your password



X will never ask you to provide your password via email, Direct Message, or reply.

We will never ask you to download something or sign-in to a non-X website. Never open an attachment or install any software from an email that claims to be from us; it's not.


If we suspect your account has been phished or hacked, we may reset your password to prevent the hacker from misusing your account. In this case, we'll email you a X.com password reset link.


If you forget your password, you can reset it via this link.

 

New and suspicious login alerts

If we detect a suspicious login or when you log in to your X account from a new device for the first time, we will send you a push notification within the X app, or via email as an extra layer of security for your account. Login alerts are only sent following new logins through X for iOS and Android, X.com, and mobile web.

Through these alerts, you can verify that it was you who logged in from the device. If you did not log in from the device, you should follow the steps in the notification to secure your account, starting by changing your X password immediately. Please note that the location listed in the notification is an approximate location derived from the IP address you used to access X, and it may be different from your physical location.

Note: If you log in to your X account from incognito browsers or browsers with cookies disabled, you will receive an alert each time.

Email address update alerts

Any time the email address associated with your X account is changed, we will send an email notification to the previously-used email address on your account. In the event your account is compromised, these alerts will help you take steps to regain control of your account.
 

Evaluating links on X

Many X users post links using URL shorteners, like bit.ly or TinyURL, to create unique, shortened links that are easier to share in posts. However, URL shorteners can obscure the end domain, making it difficult to tell where the link goes to.

Some browsers, like Chrome and Firefox, have free plug-ins that will show you the extended URLs without you having to click on them:

In general, please use caution when clicking on links. If you click on a link and find yourself unexpectedly on a page that resembles the X login page, do not enter your username and password. Instead, go to X.com and log in directly from the X homepage.
 

Keep your computer and browser up-to-date and virus-free

Keep your browser and operating system updated with the most current versions and patches—patches are often released to address particular security threats. Be sure to also scan your computer regularly for viruses, spyware, and adware.

If you're using a public computer, make sure you sign out of X when you're done.

Select third-party applications with care

There are many third-party applications built on the X platform by external developers that you can use with your X account(s). However, you should be cautious before giving third-party applications access to your account.

If you wish to grant a third-party application access to your account, we recommend that you only do so using X’s OAuth method. OAuth is a secure connection method and doesn’t require you to give your X username and password to the third party. You should be particularly cautious when you're asked to give your username and password to an application or website, as third-party applications don’t need your username and password to be granted access to your account via Oauth. When you give your username and password to someone else, they have complete control of your account and can lock you out or take actions that cause your account to be suspended. Learn about connecting or revoking third-party applications.

We suggest you review third-party applications that have access to your account from time to time. You can revoke access for applications that you don't recognize or that are posting on your behalf by visiting the Applications tab in your account settings.

Share this article