Passwords for mailboxes

2-factor authorization not possible

Currently, 2-factor authorization (2FA) is on everyone’s lips. We also offer this to secure access to our customer area as well as to the e-mail administration interface (Mailix UI).

However, this is not technically possible for email boxes. Email protocols (POP, IMAP, SMTP) do not support 2-factor authentication at all. Any attempt to implement it in these services would render all third-party email clients useless, as they would be incompatible because there is no mechanism for it in the protocol. While a company as large as Google, for example, may be able to use its own login method that is then supported by all developers of all major email clients, it is unlikely that a company smaller than Google can get many developers to massively support their non-standard implementations, which would also render third-party email clients unusable. The only consistent way to handle email login is to use the primary, universal protocols, which unfortunately do not support 2FA.

App-specific-passwords

Alternatively, there are “app-specific passwords” for POP/IMAP/SMTP as a solution, which we also offer. However, from a security perspective, this is unfortunately not a solution. While there is a potential gain in convenience, it is largely negated by the actual reality when a compromised password occurs. Application-specific passwords are simple passwords used to log in and bypass 2FA, which invalidates 2FA for the account. No one can track their use, and they can’t be restricted to a specific app (because, again, the protocols don’t allow that). So if your account is compromised and you have 50 app-specific passwords, what can you do but delete and re-create all 50 passwords? Delete one password at a time and wait to see how long it takes for spam to stop being sent through your account? Lower server security and log which password is used when (because that’s the only way to get that insight from universal logs)?

More secure passwords technically not possible

Application-specific passwords, therefore, do not provide increased security (but only decrease convenience) and two-factor authentication for email protocols does not exist. Currently, the only secure method would be to log in only over the Internet using webmail and use 2FA on the webmail clients, but this is not a viable compromise as it defeats most use cases of email.

Good old regular passwords

So mailboxes can still only be secured with common passwords that are as strong as possible (meaning as long as possible). We recommend using passphrases instead of passwords with upper and lower case letters, numbers and special characters. For example, ‘Today is my 30th birthday!’ would be an easy-to-remember passphrase and also much more secure than, for example, ‘Jgiu&u87/’. Email client software usually stores the mailbox password, so it rarely needs to be entered. It is best to use a password manager to always have the password at hand. You need it e.g. if you want to get into webmail, manage your SPAM filter or email alias in the Mailix UI.

By the way, when requesting and sending e-mail, the access ID and password are always and generally only transmitted in encrypted form. It is therefore not possible to spy on them electronically when they are used.

Our request

Please always remember to keep your passwords secure and do not expect increased security through 2FA or app-specific passwords.