Improve your account security with login and password best practices

There are multiple ways to keep your HubSpot account secure from unauthorized access. For example, you can create strong passwords, turn on two-factor authentication, and use other security features available in HubSpot. By putting these password and login best practices in place, you can better protect your HubSpot account and data from unauthorized access. 

Manage your passwords

Passwords serve as the primary means of protecting your account. Learn how to manage, reset, and improve your password practices in HubSpot.

Understand password security in HubSpot

• When creating a new password, it's not possible to set your own password complexity requirements. However, if you have a Professional or Enterprise subscription with single sign-on (SSO) set up and required, your SSO provider's password requirements will be used instead.
• Passwords that you’ve used before are not tracked in HubSpot.

Reset your HubSpot password

If you need to reset your password, follow these steps to reset your password. 

Proactive password resets

HubSpot employs automatic security measures to protect your account, such as proactive password resets when your password matches a publicly leaked password. Learn more about proactive password resets. 

Unused password removal

If you switch from using a password to using a different login method (e.g., passkeys or single sign-on (SSO)), unused passwords will be removed as a part of security best practices. This helps mitigate security risks of an old password being exploited.

You'll receive an email to confirm that your HubSpot password is eligible for removal. If the password stays unused during the 30 days after you receive the email, it'll be deleted. If you go back to using a password in the future, you can reset your password.

Best practices for passwords

For better HubSpot account security, consider the following:

• Use a password manager: this includes password generators/managers in your browser (e.g., Chrome, Safari). Learn more about why a password manager may be helpful.
• Use a unique password for your HubSpot account: having a unique password for HubSpot increases account security in the event that one of your passwords is breached.

Set up two-factor authentication (2FA)

If you log in using your email and password, two-factor authentication (2FA) adds an extra layer of security to your HubSpot login. With 2FA turned on, you'll be asked to confirm your login using a separate device, such as a mobile device. Because a physical device is needed to confirm your login, 2FA lowers the risk of an intruder gaining access to your account.

Learn how to set up two-factor authentication.

Set up passkeys

Passkeys use public and private key credentials to securely log in to your account using a compatible device with biometrics, a PIN code, or a password manager. They are supported by platforms like Google, Apple, and Microsoft. They are also supported by all major third-party password managers and FIDO2 compatible hardware tokens like Yubikey.

Learn how to set up a passkey with HubSpot.

Control login methods and account access

Control account access and manage how users log in to their accounts. 

Configure single sign-on

Integrate your existing single sign-on (SSO) when logging in to HubSpot to give your team one account for all the systems your business uses. With SSO turned on, you'll be asked to confirm your login with a login confirmation email or using two-factor authentication.

Learn how to set up single sign-on with HubSpot.

Restrict allowed login methods

Limit which login methods your team can use when setting up or signing into their HubSpot account. Tailor the login types available to your account based on your security needs. For example, if your company uses Google Workspace or Microsoft, you can only allow these login types. 

HubSpot login options include:

• Native HubSpot username and password login.
• Social services log ins (e.g., Google, Microsoft, Apple).
• Single Sign-On for Professional and Enterprise plans.
• Login with passkeys. 

Learn how to restrict which login methods user can use.

Understand login confirmation

When you log in to HubSpot, login attempts from new browsers or devices will be automatically detected. When the browser or device you're logging in from isn't recognized, you'll be prompted to confirm your identity through an emailed verification code. A confirmation email will also be sent when logging in after clearing browser cookies. Once login is confirmed, you can access your HubSpot account.

To confirm your login:

1. After entering your login credentials, you'll be redirected to a page that'll prompt you for a verification code.
2. Access the email inbox associated with your HubSpot account to retrieve the verification code. HubSpot Support cannot provide this code for you.
3. On the verification page, enter the code, and click Log in.

If you're asked to confirm your login often, consider turning on two-factor authentication. With 2FA turned on, you can verify your login with your mobile device instead of email. You'll then have the option to prevent login confirmations for 30 days by selecting Don't ask me again on this computer or Remember me when logging in. 

If you don't receive a login confirmation code in your inbox, try the following troubleshooting steps:

• Check your spam or junk folders to see if your email provider has filtered them out of your main inbox.
• If the email isn't in your spam or junk folder, ensure that your inbox is set up to accept emails from HubSpot.

If you no longer have access to your email inbox, or the email address is no longer active, you'll need to contact a Super Admin in your account to add a new user for your current email address.

Secure your HubSpot mobile app

Improve the security of your HubSpot mobile app with device lock.

In your HubSpot mobile app's settings, you can turn on device lock. When you close or leave your HubSpot mobile app, the next time you open the app, you'll be prompted to verify your identity with your mobile device's native biometrics or PIN code.

To turn on device lock:

1. Open the HubSpot app on your device.
2. In the top left, tap the Menu icon. 
3. At the bottom, tap Settings.
4. In the Security section, tap to toggle the Device Lock setting on.