Secure Your Twilio Account

• Your passphrase should be at least 14 characters long (see below to learn more)
• Make sure you do not re-use passwords between accounts.
• Use a password manager to help manage multiple passwords.

• Help protect your Twilio account with two-factor authentication. Learn how here!

• See Best Practices to Protect Your Auth Token to learn how to prevent others from seeing your token.
• Change your auth token periodically. See Auth Tokens and How to Change Them.

• When you create sub-accounts for employees or co-collaborators, use the Console to assign them roles with the minimum level of permissions that will allow them to do their jobs.

• Never bake your API keys into an application or leave them in the source code.
• Don't even leave API keys in plain text on your laptop! Leverage environment variables instead.
• See the Anti-Fraud Developer's Guide.

• Use Authy Two-factor Authentication (using Twilio's Authy API).
• Make access tokens expire as quickly as is practical.

Make sure you are using the most up-to-date version of your operating system, applications, and Twilio SDKs.

• Check for the latest Twilio tools on our SDKspage.
• If you find a vulnerability, report it in our Bug Bounty.

• Use a VPN or a WiFi hotspot powered by Twilio Wireless.
• Make sure that the certificates presented by websites you visit are correct and match what you expect.

What does it mean these days to have a strong passphrase? It turns out that a jumble of hard-to-remember characters is not as effective as a longer but easier-to-remember password. The longer, the better.

A 14-character passphrase using uppercase and lowercase letters can be millions of times more complex than an 8-character passphrase that includes symbols and digits:

• Passphrase A:
  • 8 characters long
  • 95 possible letters, digits, symbols: 958 = 6.634 x 1015
• Passphrase B:
  • 14 characters long
  • 52 possible upper/lowercase letters: 5214 = 1.057 x 1024
• Result: Passphrase B is 159 million times more complex!