Skip to content

Account security and passwords

Last updated: February 28, 2024

Available with any of the following subscriptions, except where noted:

All products and plans

HubSpot offers many ways to secure your account. From password security to best login practices, learn about your options for keeping your HubSpot account safe.


Learn how to reset your password, HubSpot's automatic password resets, and how HubSpot prevents leaked passwords from being used in your account.

Please note:

  • When creating a new password, it's not possible set your own password complexity requirements. However, if you have an Enterprise subscription with single sign-on (SSO) set up and required, HubSpot will use the SSO provider's password requirements instead. 
  • HubSpot doesn't expire passwords, and doesn't track previous passwords used.

Reset your HubSpot account password

If you need to reset your password, click Forgot my password on the login page and follow the steps to reset your password. Learn more about resetting your password in HubSpot. If you still aren't able to log in after resetting your password, follow these troubleshooting steps to resolve the issue.

Proactive password resets

For security reasons, HubSpot checks your password against publicly leaked passwords. When the password you're using matches a password that has been publicly leaked, HubSpot will prevent you from logging in, then send you a password reset email. This protects your account from bad actors who have access to publicly leaked passwords.

When you receive the email, click Visit your HubSpot account and update your password at the bottom of the email and continue to update your password. Once your password is updated, you should be able to log into your HubSpot account.

Password creation for new accounts

When creating a password for a new HubSpot account, HubSpot will check the password against publicly leaked passwords. If HubSpot detects a match to a leaked password, you'll see the following error message: Please choose a different password. This has been identified as a risky password.


To protect your account, HubSpot won't allow you to use this password, as it's a commonly known password on the internet. This doesn't mean that any of your other internet accounts have been compromised, but it's recommended that you change this password if you're using it elsewhere.

Failed password login attempts

After 10 consecutive failed login attempts, HubSpot will send a password reset email to your user email. Learn more about resetting your password in HubSpot.

Improving password security

For better HubSpot account security, consider the following:

  • Use a password manager, including password generators/managers in your browser (e.g., Chrome, Safari). To learn more about why a password manager may be helpful, check out HubSpot's blog post about keeping your online data secure.
  • Use a unique password for your HubSpot account. Having a unique password for HubSpot increases account security in the event that one of your passwords is breached.

Two-factor authentication

Two-factor authentication (2FA) adds an extra layer of security to your HubSpot account. With 2FA enabled, you will be asked to confirm your login on your mobile device. Because a physical device is required to confirm your login, it greatly lowers the risk of an intruder gaining access to your account. 

If you are a super admin or have permissions to edit account defaults, you can require two-factor authentication for all users in the account.

Learn how to set up two-factor authentication.

Single sign-on (Enterprise only)

Single sign-on (SSO) is a feature available for Enterprise accounts that allows you to integrate your existing SSO for logging in to HubSpot. With SSO enabled, you will be asked to confirm your login with a login confirmation email or through using two-factor authentication.

Learn how to set up single sign-on with HubSpot.

Login confirmation

HubSpot offers an array of automatic security measures for your account, including detecting login attempts from new browsers or devices. Super admins can limit HubSpot account access to trusted IP addresses. When HubSpot doesn't recognize the browser or device that you're logging in from, you'll be prompted to confirm your identity through an emailed verification code. You'll also see this confirmation when logging in after clearing your browser cookies.

This confirmation is separate from one you'd receive when logging in with two-factor authentication. Once you confirm your login, you can continue to use HubSpot as normal.

To confirm your login:

  • After entering your login credentials, you'll be redirected to a page that will prompt you for a verification code.
  • Access the email inbox associated with your HubSpot account to retrieve the verification code. HubSpot support cannot provide this code for you.
  • On the verification page, enter the code, and click Log in.

If you're asked to confirm your login often, consider enabling two-factor authentication. With 2FA enabled, you can verify your login with your mobile device instead of email. You'll then have the option to prevent login confirmations for 30 days by selecting Don't ask me again on this computer when logging in. 


If you don't receive a login confirmation code in your inbox, try the following troubleshooting steps:

If you no longer have access to your email inbox, or the email address is no longer valid, you'll need to work with your team to add a new user for your current email address.

More resources

For more information on HubSpot account security, check out the resources below:

Was this article helpful?
This form is used for documentation feedback only. Learn how to get help with HubSpot.