To protect your Runbox account, and any other online account you may have, it’s crucial to choose a good password. Your password needs to be unique enough to prevent others from guessing it or computers from cracking it.
This is becoming increasingly important since attackers can use powerful password cracking software and attacks are happening more often.
We see that many users choose passwords that are too simple, perhaps thinking that no one will try to gain access to their account, or that they don’t have anything to hide anyway.
The importance of strong passwords
However, if someone did gain access to your account unauthorized they could potentially use the contents to break into other accounts you may have, since email often contains login information to other services.
An intruder could also hijack an account in order to send large amounts of spam, which would hurt not only the recipients of the messages, but also the account owner (due to returned, undeliverable messages). Furthermore, it could negatively impact Runbox as a whole, since it could get our service blocked by other email services.
Creating a good password
In Runbox 6, you can create a longer and more complex password using many different special characters.
Your password must be between 6 and 64 characters long, and can contain the letters a-z and A-Z, the numbers 0-9, and the following special characters:
+?=()&,.:;-_/*@!#~`#$%^&[]{}|\'”<>
We know, creating and remembering a long and complex password sounds like a big hassle. But it’s actually very simple, and could even be fun!
Just see our Tips for choosing and protecting passwords for a quick how-to.
I completely agreed with you.
Using strong password is a must and no excuse for not using it.
With all the hackers out there, and with more and more sophisticated computers being constructed to ‘brute force’ their way into accounts and such, aren’t we in this world getting to the point where a single password (even a 500 character one) will simply not be enough security ? Maybe what we need is not merely more password ‘length and strength,’ but more login “width,” i.e. more than one login credential. And not just for better account *recovery* (as is the case with the likes of Hotmail), but for better *preventative* security: keeping the bad guys out to begin with.
Gmail, for example, has two-factor authentication (password + code sent to cell phone), which includes the option of setting up a ‘trusted’ computer, so authorized in order to help prevent too much inconvenience where possible. So in the latter case, the correct password must be entered *from a particular device.* This is a good option for me, since I only ever access my email from a single home (desktop) computer. This is why I still use Gmail. Despite its rather abysmal customer support, it’s tops in PREVENTATIVE account security in the sense mentioned above.
I’d really love to say ‘good-bye’ to Gmail and put all my eggs in Runbox’s basket. (Great personal technical support, privacy, etc.) But in order to do so, I have to feel more secure about ITS security measures.
Honestly, I really don’t know much about technical aspects of email security — and maybe this is overkill — but how about something like:
password (or even 2 separate password fields — would there be any advantage to that ?)
AND
2FA (with the trusted computer option)
AND
a limit on the amount of login attempts possible before the account is locked down (requiring password/account recovery or contacting support)
AND,
of course, being sure that passwords are not stored or sent in plain text. If they’re stored in plain text and are ever stolen, the longest password in the world won’t protect one’s account. (See the ‘plaintextoffenders’ website for examples of sites displaying this kind of un-secure behavior, btw !)
Scott: Thank you for the comments and suggestions — 2-factor authentication is something we plan to implement, so we hope to get you on board in the future!
I am happy that you now allow PWs up to 64 characters long with a mix of characters, But your thinking about what makes a good PW seems not to be current. See here
https://www.grc.com/haystack.htm
and here
http://www.baekdal.com/insights/the-usability-of-passwords-faq
The idea here is that it’s LENGTH not complexity that matters!
I created a new easy to remember PW that would take trillions of years to crack, according to the GRC site. You rejected it as too uniform, but it’s actually harder to crack than my current PW, which has more different kinds of characters, but is shorter.
An attacker knows from reading this site that any space in a PW could be upper, lower, number, etc, and has to check all of them. The longer my PW, the harder to crack, regardless of the type of characters I use. Anyhow, given how long it would take to brute force attack any personal account, you’d see this happening and be able to stop it.
The real security risk, according to
http://www.baekdal.com/insights/usable-security-reply-to-security-now
is how you store PWs on your server. Can you say a few words about this?
Thanks!
Barry
Password strength is a factor of not just character set and length, but also of unpredictability — which is where numbers and special characters are helpful. Password crackers typically start with dictionary words and they rarely contain numbers or special characters. In other words, requiring numbers and special characters increases password strength.