Security Comparison: Why it's time to use Tutanota instead of GMX.
This comparison explains security details between GMX and Tutanota that are important for protecting your email account. With data breaches and security risks rising, it is time to switch to the most secure option.
In January 2019 German magazine The Spiegel published a story that GMX and Web.de allow users to register an email address with the word ‘pasword’ as a password.
Such a security setting is completely unresponsible as it puts lots of users at risk. We at Tutanota focus on security, and we were very surprised to learn that GMX and Web.de negelcted their users’ security to such an extend. Thus, we found it necessary to investigate further and to shed some light on the security settings of Tutanota and GMX so that people can make an informed decision about whether to use GMX, Web.de or Tutanota.
General comparison of Tutanota and GMX
GMX and Tutanota both offer free email services to the public. Tutanota limits free users to 1 GB of free storage while GMX users can increase their free storage to 10 GB by downloading the GMX app.
Another main difference is that Tutanota automatically encrypts all emails and contacts to secure their users’ emails to the maximum, which GMX does not. Due to the built-in encryption, Tutanota cannot support IMAP/POP3, but offers its own desktop clients that also support built-in encryption. GMX, on the other hand, can be used via IMAP/POP3.
Both services offer paid upgrades that allow adding your own domain email address, additional users, and more. For more details on usability features, you can visit the homepage of each email provider: GMX and Tutanota.
Security comparison of Tutanota and GMX
Security asset | Tutanota | GMX | |
---|---|---|---|
Only strong passwords allowed¹ | Yes | No | |
Password hashed on client² | Yes | No | |
State of the art brute force protection³ | Yes | No | |
Two-Factor authentication⁴ | Yes | No | |
Encrypted storage of data | Yes | No | |
Easily encrypt emails end-to-end | Yes | No | |
Data stored in Germany | Yes | Yes | |
No reuse of email address⁵ | Yes | No | |
No advertisements | Yes | No | |
No ability to read users’ emails⁶ | Yes | No |
-
GMX allows ‘password’ as a password and indicates weak passwords with a green bar. Tutanota also checks your password upon sign-up. If the password is too weak, registration with the chosen password is not possible.
-
GMX transmits the password in clear text to the server. Tutanota hashes and salts the password with bcrypt and SHA256 before transmitting the hash to the servers. It is impossible to derive the actual password from this hash, thus, no one can intercept the password.
-
Tutanota’s brute force protection kicks in way before GMX tries to stop unauthorized persons to guess passwords. Tutanota hashes the password with Bcrypt to make brute-force attacks much harder.
-
No option to add a second factor to GMX accounts. Tutanota supports second factors since August 2017 and recommends to use a hardware token (U2F) as this is the most secure 2FA option.
-
GMX Terms state that unused email addresses may be made available for new registrations after 12 months. Tutanota does not recycle unused email addresses for security reasons.
-
GMX reads users’ emails (German source). Tutanota stores all data - emails and contacts - encrypted so no third party can read users’ emails.
Conclusion of the security comparison between GMX and Tutanota
To sum up: GMX started in 1997 when email was still a very young medium. Its level of security has not much improved since then.
Today users must ask for much better security measures because cyber attacks, in particular against email phishing as these attacks are becoming increasingly more sohpisticated.
Besides, when you switch to Tutanota, you are using a green email service.
Recommended for further reading: Our online security guide explains three easy steps to keep your emails safe from hackers.