Raising the bar in security with Argon2.

Argon2 is the most secure hashing functions to protect passwords and encryption keys.

We are excited to let you know that we have updated the hashing function in Tutanota to Argon2 - the most secure algorithm. This is the first step on our road of becoming a post-quantum secure email provider as this hashing function can generate much larger encryption keys used to secure your Tutanota emails, calendars and contacts.

As you know, we are planning to become the first post-quantum secure email and cloud provider, and we are very happy to announce that we have now achieved the first milestone in this project!

With this update your password - that is used to generate your encryption keys that encrypt all your data in Tutanota - will no longer be protected with bcrypt, but with Argon2: a new and advanced algorithm that will lead to even better security.

Why are we switching to Argon2?

When Tutanota first came about, bcrypt was the best way to turn a password into a cryptographic key. It turns your password into 192 random-looking bits that we can use for cryptographic purposes. This is way more entropy than most people's passwords will ever have, so surely it is enough, right?

Well, as part of becoming quantum-safe, we want to switch all of our AES keys to 256-bit, because 128 bit keys will no longer be secure once a quantum computer that can run Grover's algorithm comes into existence. But, the mathematically inclined among you will notice that 256 is greater than 192.

What can we do, then?

We can stretch those 192 bits by hashing them with SHA-256, for example, and it would be fine in most cases.

But why do that if we can do better?

Enter Argon2

Argon2 has been the winner of the Password Hashing Competition - and for good reason. This algorithm is currently recommended by most modern guidelines, including the OWASP Foundation.

Argon2 brings a number of improvements over bcrypt, such as memory-hardness and side-channel resistance.

Can Argon2 be used in all clients?

Once we settled on the algorithm we want to use, we were left with the problem of how to actually use this in all of our supported platforms: Android, iOS, desktop clients and web. The main problem is that there is no JavaScript implementation, or at least none that we would consider using. There are, however, a number of JavaScript bindings for the reference C implementation, compiled to WebAssembly.

WebAssembly is a technology that allows code written in almost any programming language to be run on a web browser.

That's what we decided to use, too, but we opted to write our own minimal glue to get the best loading times with the cleanest code.

Why are we using WebAssembly?

WebAssembly has been supported by all major browsers for a long time. That's why we opted for this solution as it brought the best results for all Tutanota users in terms of security and speed.

One small hiccup is that, although WebAssembly is supported by all major browsers, it is still not available in some situations, for example, on Lockdown Mode in iOS.

We considered avoiding this requirement completely by compiling the C code to pure JavaScript (asm.js), but that would make the app too slow to be practical.

We are, however, going to use native implementations for the mobile apps, which gives us better performance and removes the mentioned requirement for those clients.

To enable everyone to use our new and more secure password protection with Argon2, we are letting people on all environments that might have an issue with WebAssembly know that they will need this to improve their level of security.

What are other providers doing?

Unlike providers like Google or Outlook, we are not using your password just for authentication, we use it also to generate the key that unlocks all of your encrypted data. One of the worst examples in terms of security is the new Outlook that shares your password and other data with Microsoft's servers. Contrary to that, Tuta Mail aims to maximize your security at all ends.

For our encryption protocol to function, we need a password-based Key Derivation Function, rather than a password hashing function or a password-based authentication protocol.

For this requirement - as explained above - Argon2 is well ahead of bcrypt and will make your encrypted data even more secure.

To this date, none of our competitors use Argon2, so with this step of upgrading to Argon2, we are proving once again that we are the most secure email provider.

What do you have to do?

Most users will not have to do anything; they will simply benefit from the increased security once it is rolled out.

Some people who are using systems that have an issue with WebAssembly might see a warning.

If you are getting this warning on the Tor browser, you can either:

  • Change to the Standard security level in the Tor browser, or
  • Launch another browser, using the running Tor instance as a proxy.

If you are on Lockdown Mode on iOS, we strongly recommend using the Tutanota app, not the browser. If you use the browser on iOS Lockdown Mode, you would need to add an exception for the Tutanota web client.

If you run into issues on Android, update your WebView (which is only necessary when using the browser on Android).

Make sure to use one of the supported browsers or the Tutanota desktop client.

We are happy that we can increase your level of security by switching from bcrypt to Argon2!