Here are some best practices we've put together for protecting your Tumblr account:
Choose a Totally Unique Password for Tumblr
It’s a good practice to avoid reusing passwords for any of your accounts, especially those already in use for your email account or other social media sites.
Use a Strong Password
Make your password long—the longer the better.
Password-cracking techniques have matured quickly and significantly in the past few decades, but the way we create our passwords hasn’t kept pace. As a result, the most common advice you’ll hear about creating a strong password today is very outdated and impractical.
A password created with that advice, like jal43#Koo%a, is very easy for a computer to break and very difficult for a human to remember and type.
The latest and most effective types of password attacks can attempt up to 350 billion guesses per second, and that number will no doubt increase significantly over the next few years.
Creating a strong password today requires modern techniques, and we’ll show you two of them in the next sections.
Use a Password Manager
We strongly recommend using a password manager to generate strong unique passwords that you don't have to remember yourself.
How to Use a Password Manager
There are many different manager applications to choose from, so you’ll want to pick which one you’d like to use, and then install it on your computer. These are the general steps, but you may want to check the documentation for your specific application for more details.
- Choose a password manager.
- Install it on your computer.
- Create a strong master password to open the password database. See the How to Create a Passphrase section of this article for advice on how to do that.
- (optional) Write down the master password, and store it in a secure location, like a safe-deposit box or a locked safe. It’s important to have a backup in case you ever forget the master password.
- (optional) Share your password database across multiple devices with the application’s built-in tools
Now that you have your password manager setup, you can start to generate strong passwords with it. Find your manager’s built-in password-generation tool, and configure it to create 30-50 random characters, with a mixture of upper- and lower-case letters, numbers, and symbols.
You want to end up with something that looks like this: N9}>K!A8$6a23jk%sdf23)4Q[uRa~ds{234]sa+f423@.
That may look intimidating, but keep in mind that you’ll never need to remember it or type it in; your password manager will handle that for you automatically.
Consider Using a Passphrase
A passphrase is similar to a password, except that it’s based on a random collection of words, rather than just one. For example, copy indicate trap bright.
Because the length of a password is one of the primary factors in how strong it is, passphrases are much more secure than traditional passwords. At the same time, they are also much easier to remember and type.
They’re not as strong as the kinds of passwords generated by password managers, but they’re still a good option if you don’t want to use a password manager. They’re also the best way to generate the master password for a password manager or your operating system account, since those can’t be automatically filled in by the password manager.
How to Create a Passphrase
Creating a passphrase follows similar rules to creating a traditional password, but it doesn’t need to be as complex, because the length of the phrase will provide enough security to outweigh the simplicity.
- Choose 4 random words. You can use the xkcd Passphrase Generator if you’d like, but it’s better if you make up your own.
- Add spaces between the words if you prefer.
At this point, you should have something that looks like: copy indicate trap bright
You can stop there if you’d like, or you can add some extra strength by following these steps:
- Make a few of the letters upper-case.
- Add in a few numbers and symbols.
After applying those rules, it will look something like: Copy indicate 48 Trap !#% bright
Things to Avoid:
- Don’t place the words in a predictable pattern or form a proper sentence; that would make it much easier to guess.
- Don’t use song lyrics, quotes or anything else that’s been published. Attackers have massive databases of published works to build possible passwords from.
- Don’t use any personal information. Even when combined with letters and numbers, someone who knows you, or can research you online, can easily guess a password with this information.
Additional Tips
- Don’t use the same password twice. Many popular websites fail to adequately secure your password in their systems, and hackers routinely break into them and access hundreds of millions of accounts. If you reuse passwords from site to site, then someone who hacks into one site will be able to login to your account on other sites. At the very least, make sure that you have unique passwords for all sites that store financial or other sensitive data, or ones that could be used to hurt your reputation.
- Make sure your email password is also strong. With many online services like tumblr.com, your email address serves as your identification. If a malicious user gains access to your email, they can easily reset your passwords and login to your account.
- Don’t share your passwords. Even if you trust the person, it’s possible an attacker could intercept or eavesdrop on the transmission, or hack that person’s computer. If you suspect that someone else knows your password, you should change it immediately.
- Don’t send your password to anyone in an email. E-mails are rarely encrypted, which makes them relatively easy for attackers to read. Tumblr staff will never ask you for your password.
- Don’t save your passwords in a web browser. They often fail to store the passwords in a secure manner, so use a password manager instead. See the section on password managers above for more information.
- Don’t save passwords or use “Remember Me” options on a public computer. If you do, then the next person to use the computer will be able to access your account. Also make sure you log out of your Tumblr account when you are done.
- Don’t write down your password. If it’s written down somewhere and someone can find it, it’s not secure. Store passwords in a password manager instead, so that they’ll be encrypted. See the section on password managers above for more information. The exception to this rule is storing unrecoverable passwords (like the master password for a password manager, or your operating system account) in a secure manner. One good way to secure them is to keep it in a safe deposit box, or locked in a safe.
- Ensure you have enabled “Email me about account activity” in your account settings.
Turn on Two-Factor Authentication
With two-factor authentication (TFA), you can use any iOS, Android, Blackberry, or SMS-capable mobile device as a unique key to your blog. After you sign up for the service, you will need to enter a specially generated one-time code whenever you try to log in to your Tumblr account. This means that even if someone gets your password, they won’t be able to log in without possessing your mobile device as well.
When you turn on TFA, you will also need to generate and save your backup codes, which you can use in the event that you lose your TFA device.
You can learn more about two-factor authentication in this Help Center article.
Log Out Regularly
You can protect your account by logging out when you are finished working. This is especially important when you are working on a shared or public computer. If you don’t log out, someone may be able to access your account just by viewing the browser history and going back to your Tumblr dashboard.
Contact Support for Assistance
Please reach out to Tumblr Support if you notice any suspicious activity on your Tumblr account.