Secure Your Twilio Account
It is important to keep your Twilio account secure to prevent unauthorized use. Here are a few steps to protect your account.
Create a strong passphrase
- Your passphrase should be at least 14 characters long (see below to learn more)
- Make sure you do not re-use passwords between accounts.
- Use a password manager to help manage multiple passwords.
Use multi-factor authentication
- Help protect your Twilio account with two-factor authentication. Learn how here!
Protect your auth token from unauthorized use
- See Best Practices to Protect Your Auth Token to learn how to prevent others from seeing your token.
- Change your auth token periodically. See Auth Tokens and How to Change Them.
Control sub-account permissions
- When you create sub-accounts for employees or co-collaborators, use the Console to assign them roles with the minimum level of permissions that will allow them to do their jobs.
Protect your API keys
- Never bake your API keys into an application or leave them in source code.
- Don’t even leave API keys in plain text on your laptop! Leverage environment variables instead.
- See the Anti-Fraud Developer’s Guide.
Grant temporary access tokens wisely
- Use Authy Two-factor Authentication (using Twilio's Authy API).
- Make access tokens expire as quickly as is practical.
Use up-to-date technology
Make sure you are using the most up-to-date version of your operating system, applications, and Twilio SDKs.
- Check for the latest Twilio tools on our SDKs page.
- If you find a vulnerability, report it in our Bug Bounty.
Protect yourself online
- Use a VPN or a WiFi hotspot powered by Twilio Wireless.
- Make sure that the certificates presented by websites you visit are correct and match what you expect.
Why you should use a long passphrase
What does it mean these days to have a strong passphrase? It turns out that a jumble of hard-to-remember characters is not as effective as a longer but easier to remember the password. The longer, the better.
A 14-character passphrase using uppercase and lowercase letters can be millions of times more complex than an 8-character passphrase that includes symbols and digits:
- Passphrase A:
- 8 characters long
- 95 possible letters, digits, symbols: 958 = 6.634 x 1015
- Passphrase B:
- 14 characters long
- 52 possible upper/lowercase letters: 5214 = 1.057 x 1024
- Result: Passphrase B is 159 million times more complex!
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.
