How to secure your Twitter account

The microblogging service's ability to promulgate links in an instant makes Twitter a magnet for malware distributors. Prevent your Twitter account from being hijacked by using strong passwords and enabling the option to require an e-mail address or phone number to reset your password.

Dennis O'Reilly Former CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Dennis O'Reilly
5 min read

Twitter took some heat earlier this month for resetting more passwords than necessary after detecting a security breach in its microblogging network, as CNET's Daniel Terdiman reported on the Internet & Media blog.

The more followers you have, the more potential damage may result from a compromised Twitter account. That's why it's big news when the Twitter feeds of media organizations such as Reuters and Fox News are breached by hackers who post false news stories.

CNET News Editor Steven Musil describes the two attacks on the Reuters Twitter account last August, and Fox News' infamous erroneous Twitter post on July 4, 2011, about President Obama being assassinated is explained in Stephen Shankland's Deep Tech blog.

Twitter hackers strike close to home -- twice
For the second time in less than a year, my Twitter account was hacked by someone who used it to tweet links to phishing sites. Even though Twitter isn't noted for its iron-clad security, I have only myself to blame for both successful attacks on the account. (In 18 years of using the Internet, these are the only two times an account of mine has been compromised -- at least to my knowledge.)

My first mistake was using a password that wasn't strong enough. My second mistake was failing to monitor the Twitter account for weeks at a time, so several phishing tweets had posted from the account by the time I got wind of them.

Last February, Twitter began encrypting all connections to the service by making HTTPS the default. The Twitter blog post explaining the change indicates that you can disable HTTPS in your account settings, but this option appears to have been removed in the interim.

The advice offered on the Twitter support site for keeping your account secure boils down to using strong passwords, ensuring you're on Twitter.com when you sign in, and not sharing your ID and password with third parties. The site also reminds users to keep all their software patched and to watch out for suspicious links -- not particularly novel advice, but always timely.

The widespread use of URL shorteners on Twitter makes a URL expander required equipment to avoid falling prey to a phishing attack. All the major browsers have extensions that expand URLs shortened by such services as tinyurl, bit.ly, and snipurl. An alternative to downloading and installing a URL-expander plug-in for each browser you use is to paste the shortened address in the expander at LongURL.org and click the Expand button.

LongURL.org main page
Identify the destination of a shortened URL by pasting the abbreviated address in the textbox at LongURL.org and clicking the Expand button. Screenshot by Dennis O'Reilly/CNET

In addition to the link's full URL, LongURL.org displays the page title, the number of redirects, meta keywords, meta description, and content type. The service also shows a thumbnail image of the destination page, although the image failed to appear when I tested the link checker with several different shortened URLs.

LongURL.org results page
LongURL.org shows the page title, a thumbnail image, and other information about the destination of a shortened URL. Screenshot by Dennis O'Reilly/CNET

Suggestions for strong Twitter passwords from Google, elsewhere
As usual, your password is your first line of defense against your Twitter account being hacked. The Twitter Safety Center links to a post on Google's Gmail blog describing how to create hack-proof passwords. In a post from last month I covered the safe way to write down your passwords.

That post was a follow-up to a story in September, "Ten simple, common-sense security tips," which suggested a password-creation technique that doesn't rely on a mix of letters, numbers, upper- and lower-case, and punctuation. When it comes to password advice, it all boils down to using whichever approach works for you. Just make sure the password is difficult to guess and unique for each site; long passwords that you change frequently are even safer.

The Twitter Safety Center offers advice for people whose Twitter accounts have been compromised: in a nutshell, it advises that you change your password, revoke connections to third-party applications, and delete the bogus posts. The page also links to forms for reporting sign-in problems.

Improve security by tweaking your Twitter account settings
By default, Twitter lets you reset your password simply by providing your @username. To require your e-mail address or telephone number to change your account password, click the gear icon in the top-right corner of the Twitter home screen and choose Settings. Scroll to "Password reset," check "Require personal information to reset my password," click the "Save changes" button, enter your password, and press Enter to confirm the change.

Twitter account setting for password resets
Make sure Twitter asks for your e-mail address or phone number before allowing a password reset by checking this option in your account settings. Screenshot by Dennis O'Reilly/CNET

Other settings let you display media that may contain sensitive content, warn your followers that you may tweet images or video with sensitive content, and prevent your tweets from being received by anyone you haven't approved beforehand. You can also uncheck the option to let other people search for you by e-mail address, add a location to your tweets (or delete all location information), and deactivate your account, which takes 30 days to complete.

Click "Email notifications" in the left pane of the account window to change the way you're alerted when someone replies to or retweets one of your posts, or marks it as a favorite. By default, you're notified whenever people you follow reply, retweet, or mark a tweet as a favorite, and whenever you're followed by someone new or receive a direct message. You can choose to be notified whenever anyone acts on one of your tweets via that option on the drop-down menu, or not at all by unchecking the option.

If you don't want to receive a weekly digest of top tweets and stories, uncheck the option under "Activity on your network" (you can also choose to receive a daily digest of top tweets). Also checked by default are the options to receive updates from Twitter for news from the company and its partners, tips, suggestions for people you may know, and things you missed since the last time you signed in. You'll also get requests to participate in research surveys unless you uncheck that option.

Twitter e-mail notification options
To prevent Twitter from flooding you with updates whenever someone your second cousin knows blows their nose, uncheck the many notification options that are enabled by default. Screenshot by Dennis O'Reilly/CNET

The Twitter Safety Center provides information specifically for parents, for teachers, and for teens. Other help topics are protecting your personal information, safeguarding online photos, and responding to abusive behavior.

Other Safety Center resources cover how to report violations, how to flag media violations, and how to report spam.

Perhaps the least-read resource in the Twitter Help Center is the Twitter Rules page, which will likely be found useful only by lawyers and insomniacs (but not necessarily insomniac lawyers).