As data breaches and identity thefts are happening left and right, day and night, the best time to secure your Twitter account was yesterday. Here’s four straightforward steps you should take in order to significantly decrease the possibility of your account getting accessed by an outsider. Most of these things are applicable to other online services as well, so once you’re done hardening your Twitter account, take a critical look at your other accounts both on and off social media.
- Let’s start with the obvious: use a strong and unique password. Twitter recommends passwords to be at least 10 characters long and a mix of uppercase, lowercase, numbers, and symbols. As always, password manager is the way to go, because if you can remember your password, it’s a weak password.
- Note that changing your password doesn’t automatically log the account out of Twitter for iOS or Twitter for Android applications. So once you’ve changed your password, sign in online and visit Apps and devices in your settings. From there you should revoke access for all applications and log out of all devices.
- Remember that Twitter will never ask your password via email, Direct Message or tweet. If you see such shady behavior on Twitter, make sure to report those accounts.
- Enable two-factor authentication. Twitter calls this Login verification.
- SMS verification is demonstrably a terrible two-factor method, so prefer mobile security app or a hardware security key.
- Do not add your phone number to your account.
- Extended step-by-step instructions can be found here.
- Remember to download and store your backup codes somewhere safe 🙂
- Enable Password reset protect. This used to be called Password reset verification in the old UI, but the functionality is the same.
- It doesn’t provide much of added security, but at least instead of leaking out parts of your phone number or email address (system that I abused for this article), whoever is trying to reset your password would have to already know either one of those.
- As a bonus step, you might also want to consider disabling Discoverability and contacts options.
- If you’re using your own name on Twitter anyway, your contacts will find you (and vice versa) without you giving Twitter the option to connect the dots for you.
- Also there’s no need to give a potential adversary the possibility to verify the email address or phone number you have associated with your account.
Thanks for reading. While you’re here, take a look at my guide how to get the most non-personalized experience on Twitter, that is, how you can get back the Twitter timeline we learned to love: unskewed by algorithm and without pre-filtering.
This guide is part of my social media hardening series. You can find more articles like this, covering e.g. LinkedIn or Reddit, from this category.