In January 2019 German magazine The Spiegel published a story that GMX and Web.de allow users to register an email address with the word 'pasword' as a password. Such a security setting is completely unresponsible as it puts lots of users at risk. We at Tutanota focus on security, and we were very surprised to learn that GMX and Web.de negelcted their users' security to such an extend. Thus, we found it necessary to investigate further and to shed some light on the security settings of Tutanota and GMX so that people can make informed decisions.
General comparison of Tutanota and GMX
GMX and Tutanota both offer free email services to the public. Tutanota limits free users to 1 GB of free storage while GMX users can increase their free storage to 10 GB by downloading the GMX app.
Another main difference is that Tutanota automatically encrypts all emails and contacts to secure their users' emails to the maximum, which GMX does not. Due to the built-in encryption, Tutanota cannot support IMAP/Pop3, but offers its own desktop clients that also support built-in encryption. GMX, on the other hand, can be used via IMAP/Pop3.
Both services offer paid upgrades that allow adding your own domain, additional users, and more. For more details on usability features, you can visit the homepage of each email provider: GMX and Tutanota.
Security comparison of Tutanota and GMX
|Only strong passwords allowed¹||Yes||No|
|Password hashed on client²||Yes||No|
|State of the art brute force protection³||Yes||No|
|Encrypted storage of data||Yes||No|
|Easily encrypt emails end-to-end||Yes||No|
|Data stored in Germany||Yes||Yes|
|No reuse of email address⁵||Yes||No|
|No ability to read users' emails⁶||Yes||No|
1) GMX allows 'password' as a password and indicates weak passwords with a green bar. Tutanota also checks your password upon sign-up. If the password is too weak, registration with the chosen password is not possible.
2) GMX transmits the password in clear text to the server. Tutanota hashes and salts the password with bcrypt and SHA256 before transmitting the hash to the servers. It is impossible to derive the actual password from this hash, thus, no one can intercept the password.
3) Tutanota's brute force protection kicks in way before GMX tries to stop unauthorized persons to guess passwords. Tutanota hashes the password with Bcrypt to make brute-force attacks much harder.
4) No option to add a second factor to GMX accounts. Tutanota supports second factors since August 2017 and recommends to use a hardware token (U2F) as this is the most secure 2FA option.
To sum up: GMX started in 1997 when email was still a very young medium. Its level of security has not much improved since then.
Today users must ask for much better security measures because cyber attacks, in particular phishing attacks on email accounts, are becoming increasingly more sohpisticated.