Login security: Best practices to stop phishing attacks!

Tutanota does a lot to protect your account, such as applying best practices for your login security. Follow this guide to keep all your accounts safe.

Follow login security best practices to keep your credentials secure.
It is a hard task to keep all your online accounts safe from malicious attacks such as phishing. As we at Tutanota encrypt all your data with the help of your password, your password becomes the weakest link and must be protected at all costs. Thus, it is crucial that you take the utmost care to optimize your login security. Read this quick guide to maximize the security of your login credentials - not just for Tutanota, but for all your online accounts.

Login security

Your login security depends on several factors, most of which your provider can take care of. In this guide we are collecting best practices to protect your login credentials that make it extremely difficult for malicious attackers to take over your account.

This summary also contains one important feature that you need to activate for securing your login credentials yourself: two-factor authentication. But let's start with something easy!

The most important factors to protect your login credentials are:

  1. Strong passwords
  2. Secure method to recover accounts
  3. Two-factor authentication

1. Enforcement of strong passwords

When you sign up for an online service, it is important that this service forces you to choose a strong password. For example, when signing up for a Tutanota account, the system will display a pop-up saying 'password is not secure enough' if you choose a weak password. This way, the system makes sure that every user chooses a strong password.

A strong password should contain lower and upper case letters, numbers, and special characters and it must not be too short. Here are more tips on how to choose a strong password.

Also, Tutanota does not allow commonly used passwords, such as 'password'. Unfortunately, other email services such as GMX allows 'password' as a password, which is one of the worst things to do as this makes it incredibly easy for any attacker to potentially take over user accounts with a simple guess.

Tutanota also uses state-of-the-art brute-force protection. The password is hashed with Bcrypt and salted with SHA256. Only the hash of the password is transmitted to our servers so that not even we at Tutanota can see your password.

2. Recovery code for resetting credentials

Next to choosing a strong password, the most important factor when it comes to securing your login credentials is the way that your password can be reset. Most services offer a password reset via email. While this is very convenient, it is just as insecure.

Reset options via email can function like a backdoor that make it very easy for malicious attackers. They can abuse the resetting feature to take over online accounts. That's why Tutanota does not offer a password reset via email, but instead comes with a recovery code.

The recovery code enables you to reset your password without having to involve anyone else. It is important that you write down your recovery code somewhere safe because we at Tutanota deliberately have no option to reset your password. This way we make sure that not even we can take over your account.

When you have activated 2FA, you need two out of three to reset your password or second factor. You'll find details in our How-to.

3. Two-factor authentication

We recommend everyone who wants to protect their login credentials to activate at least one second factor. Two-factor authentication is one of the most important best practices that every user must activate when concerned about the login security of their account.

Tutanota enables you to add several second factors. By adding several second factors, you mitigate the risk of losing access to your email account if you lose your second factor.

Tutanota supports U2F and TOTP. We recommend choosing a hardware token (U2F) as this is the most secure option for two-factor authentication.

When setting up a second factor, please also make sure to write down your recovery code. Once set up, you need two out of three to reset your account in case you lose one. For example, if you lose your second factor, you need your password and your recovery code to reset your login credentials.

4. Session handling

Session handling is an important best practice for securing your login credentials. It enables you to close a session remotely. For instance, you are logged in on your phone, but lose your phone. In that case, you would want to close this session from another device so that no one who gets hold of your phone can get access to your online account.

Tutanota supports session handling. You can either close one or all sessions remotely, or you can change your password on one client. Then all other sessions are logged out immediately, which makes sure that your account stays safe even if you believe that your account could be accessed by someone else via a running active session.

Active and recently closed login sessions are visible in Settings -> Login. If needed, you can activate the storing of login IP addresses to monitor if someone else is accessing your account. This feature needs to be manually activated, stored IP addresses are encrypted and can only be decrypted by the user.

5. Administrative log

When using an online service for your company, you would want to see what the administrators are doing. Administrators usually have the right to reset passwords etc. so it is important to make sure that administrators do not abuse this power.

Tutanota logs all administrative actions. These are visible in Settings -> Global settings -> Audit log.

6. Changing of passwords

It is recommended that a user who has been provided with an online account or whose password had to be reset by the administrator changes this password for security reasons.

Tutanota has the option to force changing of passwords by the users if it was reset by an admin.

7. Multiple administrators

In Tutanota, multiple users can be made administrators to monitor the security of the Tutanota account.

Keep your credentials secure

Tutanota supports all best practices to maximize your login security.

Taken together, Tutanota does a lot to take care of your login security. If you also activate second factor-authentication and write down your recovery code somewhere safe, all best practices to secure your login credentials are met.

Stay secure. 😀

Please also read our email security guide to learn how to best protect your online identity.