In January 2019 German magazine The Spiegel published a story that GMX and Web.de allow users to register an email address with the word 'pasword' as a password.

Such a security setting is completely unresponsible as it puts lots of users at risk. We at Tutanota focus on security, and we were very surprised to learn that GMX and Web.de negelcted their users' security to such an extend. Thus, we found it necessary to investigate further and to shed some light on the security settings of Tutanota and GMX so that people can make an informed decision about whether to use GMX, Web.de or Tutanota.

General comparison of Tutanota and GMX

GMX and Tutanota both offer free email services to the public. Tutanota limits free users to 1 GB of free storage while GMX users can increase their free storage to 10 GB by downloading the GMX app.

Another main difference is that Tutanota automatically encrypts all emails and contacts to secure their users' emails to the maximum, which GMX does not. Due to the built-in encryption, Tutanota cannot support IMAP/POP3, but offers its own desktop clients that also support built-in encryption. GMX, on the other hand, can be used via IMAP/POP3.

Both services offer paid upgrades that allow adding your own domain, additional users, and more. For more details on usability features, you can visit the homepage of each email provider: GMX and Tutanota.

Security comparison of Tutanota and GMX

Security asset Tutanota GMX Only strong passwords allowed¹ Yes No Password hashed on client² Yes No State of the art brute force protection³ Yes No Two-Factor authentication⁴ Yes No Encrypted storage of data Yes No Easily encrypt emails end-to-end Yes No Data stored in Germany Yes Yes No reuse of email address⁵ Yes No No advertisements Yes No No ability to read users' emails⁶ Yes No

1) GMX allows 'password' as a password and indicates weak passwords with a green bar. Tutanota also checks your password upon sign-up. If the password is too weak, registration with the chosen password is not possible.

2) GMX transmits the password in clear text to the server. Tutanota hashes and salts the password with bcrypt and SHA256 before transmitting the hash to the servers. It is impossible to derive the actual password from this hash, thus, no one can intercept the password.

3) Tutanota's brute force protection kicks in way before GMX tries to stop unauthorized persons to guess passwords. Tutanota hashes the password with Bcrypt to make brute-force attacks much harder.

4) No option to add a second factor to GMX accounts. Tutanota supports second factors since August 2017 and recommends to use a hardware token (U2F) as this is the most secure 2FA option.

5) GMX Terms state that unused email addresses may be made available for new registrations after 12 months. Tutanota does not recycle unused email addresses for security reasons.

6) GMX reads users' emails (German source). Tutanota stores all data - emails and contacts - encrypted so no third party can read users' emails.

Conclusion of the security comparison between GMX and Tutanota

To sum up: GMX started in 1997 when email was still a very young medium. Its level of security has not much improved since then.

Today users must ask for much better security measures because cyber attacks, in particular against email phishing as these attacks are becoming increasingly more sohpisticated.

Besides, when you switch to Tutanota, you are using a green email service.

Recommended for further reading: Our online security guide explains three easy steps to keep your emails safe from hackers.