We have updated the minimum password requirements for Twilio accounts as of September 2021. This guide explains the new requirements, and everything you need to know about this change.
New Password Requirements
All Twilio account passwords have the following requirements:
- Passwords must contain at least 16 characters.
- Passwords can’t contain repeating characters of 3 or more consecutive characters (e.g., “AAAbcdef”).
- Passwords can’t contain the words Twilio, SendGrid and mangled variations (e.g., “Tw1L1o”, “S3ndGr1d”).
- Passwords can’t be the same as your previous password.
We recommend using a password manager to generate and manage your Twilio passwords. If a password manager is not available, consider using a long paraphrase that has a meaning to you. It should include special characters and be difficult to crack.
Adhering to the new password requirements
Every time you log into Twilio.com, we check the password you entered successfully against our minimum password policy requirements.
If your password doesn't meet our minimum, we automatically trigger a password reset request by sending a link to the email address linked to your Twilio user. The link in the reset email will guide you to creating a more secure password and you’ll be ready to access Twilio again.
The minimum password standard check is separate from the comparison operation we do to authenticate your account, which involves “hashing” the password (a secure one-way encryption algorithm) and comparing it to our securely stored value. Twilio does not store your password in plaintext or in a reversible format.
I haven’t logged in recently but I received one or more password reset emails
Someone may have discovered your password through credential stuffing (which involves attempting logins with passwords shared with other compromised sites) or guessed your password using other techniques. Your Twilio project has not been compromised, but your password may have been. You are blocked from console access until you upgrade your password to the new requirements. You should log in to Twilio with your old password and get a fresh password reset link, upgrade your password strength, and you’ll be all set!
I didn’t receive a password reset email
Please check your spam folder first. If you can’t locate your email, you can get in touch with our support team to receive a reset link.
If you no longer have access to the email you registered under, we’ll verify by other means. You can contact customer support for more details.
What else can I do to secure my project?
For additional security we also recommend you implement our two-factor solution using SMS or Authy. Please see the following support article on how to do that: Enabling two factor authentication on your Twilio project, and our guide regarding anti-fraud prevention: Anti-Fraud Developer’s Guide