Login security

Your login security depends on several factors, most of which your provider can take care of. Here we are collecting best practices to protect your login credentials that make it extremely difficult for malicious attackers to take over your account.

This summary also contains one important feature that you need to activate for securing your login credentials yourself: two-factor authentication. But let's start with something easy!

1. Enforcement of strong passwords

When you sign up for an online service, it is important that this service forces you to choose a strong password. For example, when signing up for a Tutanota account, the system will display a pop-up saying 'password is not secure enough' if you chose a weak password. This way, the system makes sure that every user chooses a strong password.

A strong password should contain lower and upper case letters, numbers, and special characters and it must not be too short. Here are more tips on how to choose a strong password. Also, Tutanota does not allow commonly used passwords, such as 'password'. Unfortunately, other email services such as GMX allows 'password' as a password, which is one of the worst things to do as this makes it incredibly easy for any attacker to take over your account with a simple guess.

Tutanota also uses state-of-the-art brute-force protection. The password is hashed with [Bcrypt]]({faqHashingLink}) and salted with SHA256. Only the hash of the password is transmitted to our servers so that not even we at Tutanota can see your password.

2. Recovery code for resetting login credentials

Next to choosing a strong password, the most important factor when it comes to securing your login credentials is the way that your password can be reset. Most services offer a password reset via email. While this is very convenient, it is just as insecure.

Reset options via email are like a backdoor that make it very easy for malicious attackers. They can abuse the resetting feature to take over your online account. That's why Tutanota does not offer a password reset via email, but instead comes with a recovery code.

The recovery code enables you to reset your password without having to involve anyone else. It is important that you write down your recovery code somewhere safe because we at Tutanota deliberately have no option to reset your password. This way we make sure that not even we can take over your account.

When you have activated 2FA, you need two out of three to reset your password or second factor. You'll find details in our How-to.

3. Two-factor authentication

We recommend everyone who wants to protect their login credentials to activate at least one second factor. Tutanota enables you to add several second factors. By adding several second factors, you mitigate the risk of losing access to your email account if you lose your second factor.

Tutanota supports U2F and TOTP. We recommend choosing a hardware token (U2F) as this is the most secure option for two-factor authentication.

When setting up a second factor, please also make sure to write down your recovery code. Once set up, you need two out of three to reset your account in case you lose one. For example, if you lose your second factor, you need your password and your recovery code to reset your login credentials.

4. Session handling

Session handling is an important best practice for securing your login credentials. It enables you to close a session remotely. For instance, you are logged in on your phone, but lose your phone. In that case, you would want to close this session from another device so that no one who gets hold of your phone can get access to your online account.

Tutanota supports session handling. You can either close one or all sessions remotely, or you can change your password on one client. Then all other sessions are logged out immediately.

Active and recently closed login sessions are visible in Settings -> Login. If needed, you can activate the storing of login IP addresses to monitor if someone else is accessing your account. This feature needs to be manually activated, stored IP addresses are encrypted and can only be decrypted by the user.

5. Administrative log

When using an online service for your company, you would want to see what the administrators are doing. Administrators usually have the right to reset passwords etc. so it is important to make sure that administrators do not abuse this power.

Tutanota logs all administrative actions. These are visible in Settings -> Global settings -> Audit log.

6. Changing of passwords

It is recommended that a user who has been provided with an online account or whose password had to be reset by the administrator changes this password for security reasons.

Tutanota has the option to force changing of passwords by the users if it was reset by an admin.

7. Multiple administrators

In Tutanota, multiple users can be made administrators to monitor the security of the Tutanota account.

Keep your login credentials secure

Taken together, Tutanota does a lot to take care of your login security. If you also activate second factor-authentication and write down your recovery code somewhere safe, all best practices to secure your login credentials are met.

Stay secure. 😀

Please also read our email security guide to learn how to best protect your online identity.