Password reset, after you give it one identifier, requests another tied to the account: if you give it your phone number, it asks for your email address: if you enter your email, it asks for your phone (and if you give it your username, it asks for either, which makes one wonder why the others don't accept username as a verifier).
Once you've entered two identifiers, it shows the last two digits of your phone number, and the first two letters of your email address, the first of the domain, the position of dots in it, and the length of everything masked (regardless of whether or not you just entered your email address / phone no): #125
-reset flow response SMS comes from 40404, is 8-character alphanumeric code
password reset has a "remember me" checkbox - even unchecked, you're still logged in on submit
reset submit stub links to "Review your applications", "Protect your account", and "Continue to Twitter"
registration has a "Tailor Twitter based on my recent website visits" checkbox (aka "track me")
The "manage connected apps" page is interesting and seems like the kind of thing I should be profiling
Stray observations: