Secure Your Twilio Account
It is important to keep your Twilio account secure to prevent unauthorized use. Here are a few steps to protect your account.
- Your passphrase should be at least 14 characters long (see below to learn more)
- Make sure you do not re-use passwords between accounts.
- Use a password manager to help manage multiple passwords.
- Help protect your Twilio account with two-factor authentication. Learn how here!
- When you create sub-accounts for employees or co-collaborators, use the Console to assign them roles with the minimum level of permissions that will allow them to do their jobs.
- Never bake your API keys into an application or leave them in the source code.
- Don't even leave API keys in plain text on your laptop! Leverage environment variables instead.
- See the Anti-Fraud Developer's Guide.
- Use Authy Two-factor Authentication (using Twilio's Authy API).
- Make access tokens expire as quickly as is practical.
Make sure you are using the most up-to-date version of your operating system, applications, and Twilio SDKs.
- Check for the latest Twilio tools on our SDKspage.
- If you find a vulnerability, report it in our Bug Bounty.
- Make sure that the certificates presented by websites you visit are correct and match what you expect.
What does it mean these days to have a strong passphrase? It turns out that a jumble of hard-to-remember characters is not as effective as a longer but easier-to-remember password. The longer, the better.
A 14-character passphrase using uppercase and lowercase letters can be millions of times more complex than an 8-character passphrase that includes symbols and digits:
- Passphrase A:
- 8 characters long
- 95 possible letters, digits, symbols: 958 = 6.634 x 1015
- Passphrase B:
- 14 characters long
- 52 possible upper/lowercase letters: 5214 = 1.057 x 1024
- Result: Passphrase B is 159 million times more complex!