Quick Links
Account security is important---not just for online shopping and bank accounts, but your social accounts too. The damage someone could do to your personal and professional life can be devastating. Just like any other important account, you have to take the proper precautions to make sure you're the only one with access.
Update: Twitter just announced that they stored everybody's passwords in plain text on their servers and we're probably going to find out that somebody has a file with everybody's password at some point. So.... you should change your password. And enable two-factor authentication, which prevents anybody from logging in as you, even if they steal your password or Twitter just starts printing off our passwords and mailing them to random people.
A few weeks ago, I got a mention on Twitter from a very close friend of mine. It was a crude tweet with a link---something he would never do. I immediately jumped over to his profile to see that these sort of tweets had been happening for a couple of days, and there were a lot of them. Given the nature of his job, I knew this was bad. I called him up to let him know what was happening, and he took care of the situation quickly.
This is just one of many scenarios that can play out if you don't properly secure your social accounts. Let's talk about how to make sure this doesn't happen to your Twitter account, shall we?
While you can do most of the stuff we're going to talk about today from the Twitter app, we'll be covering most of this stuff from the web.
Like with most, you're going to want to start in your Twitter Account Settings. There are a few areas to focus on here, starting with your first line of defense: your password.
Choose a Strong Password
I know you've heard it all before, but I'm going to be the guy that keeps saying it until you listen: you have to use a strong password. This is not an option---if it's easy for anyone you know to guess, it's not strong! If all it takes is for someone to learn a little bit about you---favorite colors, pet names, children's names or birthdays, etc.---to guess your password, then it's a no go. I get it, those are the easiest to remember. I know. But they're also the most insecure.
Of course, the more secure your password, the harder it is to remember. To that end, you really should use a password manager. I've been using LastPass for years---it has every password I actively use stored behind its locked doors, and it's great. I remember my primary LastPass password, and it does the rest for me. It generates secure passwords and remembers them so I don't have to.
Once you've committed to a lifestyle of secure passwords, it's time to change that crummy Twitter password of yours. From Twitter's Account Settings page, click on "Password."
You'll first have to input your old password, the choose a new one. If you set up LastPass (or any other password generator), I'd just let it do its thing here. When you're finished, just click "Save changes."
Good job, you're now one step closer to having a safe account.
Use SMS Two-Factor Authentication
Your second line of security is two-step authentication, which is also often called Two-Factor Authentication (or 2FA for short). Twitter actually simplifies this even more, just calling the feature "Login verification"
Basically, this means that whenever you (or anyone else) tries to log in to your Twitter account, it will also require a unique code that is sent to your phone number, or a third party 2FA service. Of course it doesn't help a whole lot if someone has your phone, but at that point you have a lot more to worry about than just Twitter.
To set up login verification, head to your Twitter preferences, which will take you to that "Account" section. Look for the "Security" and you should see a "Set Up Login Verification" button.
Click that box. A popup will show up, allowing you to set the feature up.
Click start here, then put in your password.
The next page will ask you to verify your phone number---click "Send code" once you've verified that the number is correct.
Within a few seconds, you should get a code sent to your phone. Input that code into the next screen to confirm.
After you input the code, it will let you know that login verification is enabled on your account and offer backup codes. If you don't do this now, you can always get them later by accessing Settings > Security and Privacy again.
Once Login Requests has been enabled, a new option will also show up: Generate app password. Essentially, this will create a temporary password that you can use to log in to Twitter on new devices or in apps. The temporary password will expire after one hour, making this a nice security feature for quick logins.
With everything all set up, head down to the very bottom of the page and click "Save changes." That's important!
Use Application-Based Two Factor Authentication
Twitter defaults to texting you verification codes, but SMS-based two factor authentication is insecure for many reasons. Happily Twitter now supports third party verification applications, such as Authy. These tools have a better security track record than SMS, and we recommend you use one.
To get started up you will first need to set up SMS based two factor authentication, so follow the instructions above. Head back to the "Account" section in your Twitter settings and the button you pressed before will now be labeled "Review your login verification methods."
Click the button again and you'll be brought to the page outlining your login verification methods.
Click the "Set Up" link next to "Mobile security app" and the process will begin.
Click "Start" and you'll be given a QR code to scan with the mobile 2FA application of your choice.
How to do this will vary depending on your 2FA application, but in Authy it's as simple as tapping the menu followed by "Add New Account," then following the instructions.
Scan the code and you're done. We recommend disabling text message verification after setting this up, in order to fully protect yourself from SMS's security shortcomings.
Require Personal Information with a Password Reset
In the same menu where you set up Login Requests, there's another option you'll probably want to enable as well: "Require personal information to reset my password".
When you tick this box, Twitter will require personal information from you before allowing the password to be reset. This will essentially help prevent would-be wrongdoers from jacking your account by resetting your password.
Once you've ticked that little box, hit the "Save changes" button on the bottom of the page.
Keep an Eye on Connected Apps
Like with other accounts---Google, Facebook, etc.---you can use Twitter to log in to other apps and services. This is a very simple way of gaining access to specific services quickly and easily---especially ones that will ultimately be able to post Tweets to your account.
But over time, you may stop using these apps. That's why it's always a good idea to keep an eye on what you've granted access to. If you no longer use that app or service, revoke its access. No point in giving access to something you don't use!
To this, click the "Apps" entry on your Account Settings page. It's closer to the bottom of the page.
Just go through the list---if you see something obsolete, just click the "Revoke access" button. Repeat this process for any apps you don't use. I'd come back and check this list once every few months too, just to keep it clean.
If you happen to accidentally click "revoke" on an app you still use, a "Undo Revoke Access" is at the ready for you. That's convenient.
While there a handful of other areas in Twitter's Accounts Settings that you may also want to take a closer look at---notifications, for example---they don't necessarily directly correlate with securing your account. Making it less annoying? Sure. But not securing.
What we've covered here today, however, is the brick and mortar of making sure your account is as safe and secure as it can be.