As you know, we are planning to become the first post-quantum secure email and cloud provider, and we are very happy to announce that we have now achieved the first milestone in this project!
With this update your password - that is used to generate your encryption keys that encrypt all your data in Tutanota - will no longer be protected with bcrypt, but with Argon2: a new and advanced algorithm that will lead to even better security.
When Tutanota first came about, bcrypt was the best way to turn a password into a cryptographic key. It turns your password into 192 random-looking bits that we can use for cryptographic purposes. This is way more entropy than most people's passwords will ever have, so surely it is enough, right?
Well, as part of becoming quantum-safe, we want to switch all of our AES keys to 256-bit, because 128 bit keys will no longer be secure once a quantum computer that can run Grover's algorithm comes into existence. But, the mathematically inclined among you will notice that 256 is greater than 192.
What can we do, then?
We can stretch those 192 bits by hashing them with SHA-256, for example, and it would be fine in most cases.
But why do that if we can do better?
Argon2 has been the winner of the Password Hashing Competition - and for good reason. This algorithm is currently recommended by most modern guidelines, including the OWASP Foundation.
Argon2 brings a number of improvements over bcrypt, such as memory-hardness and side-channel resistance.
WebAssembly is a technology that allows code written in almost any programming language to be run on a web browser.
That's what we decided to use, too, but we opted to write our own minimal glue to get the best loading times with the cleanest code.
WebAssembly has been supported by all major browsers for a long time. That's why we opted for this solution as it brought the best results for all Tutanota users in terms of security and speed.
One small hiccup is that, although WebAssembly is supported by all major browsers, it is still not available in some situations, for example, on Lockdown Mode in iOS.
We are, however, going to use native implementations for the mobile apps, which gives us better performance and removes the mentioned requirement for those clients.
To enable everyone to use our new and more secure password protection with Argon2, we are letting people on all environments that might have an issue with WebAssembly know that they will need this to improve their level of security.
Unlike providers like Google or Outlook, we are not using your password just for authentication, we use it also to generate the key that unlocks all of your encrypted data, so we really need a password-based Key Derivation Function, rather than a password hashing function or a password-based authentication protocol.
For this requirement - as explained above - Argon2 is well ahead of bcrypt and will make your encrypted data even more secure.
To this date, none of our competitors use Argon2, so with this step of upgrading to Argon2, we are proving once again that we are the most secure email provider.
Most users will not have to do anything; they will simply benefit from the increased security once it is rolled out.
Some people who are using systems that have an issue with WebAssembly might see a warning.
If you are getting this warning on the Tor browser, you can either:
If you are on Lockdown Mode on iOS, we strongly recommend using the Tutanota app, not the browser. If you use the browser on iOS Lockdown Mode, you would need to add an exception for the Tutanota web client.
If you run into issues on Android, update your WebView (which is only necessary when using the browser on Android).
Make sure to use one of the supported browsers or the Tutanota desktop client.
We are happy that we can increase your level of security by switching from bcrypt to Argon2!