Account security and password strength

In the recent past, some high profile companies have had user account details stolen by criminals. In some cases these details have been made public. Many people use the same usernames and passwords across different services, which means that their other accounts may also be at risk.

Use a Strong Password

Runbox has not had a data breach. However, if you use one of the affected services and have used the same login with Runbox then your Runbox account could also be at risk.

We would suggest you update your Runbox password if you feel it might be necessary. What would have been a strong password a few years ago, might not be strong now. This is because criminals have an increasing ability to try large numbers of known passwords against accounts.

For useful tips about choosing strong passwords we recommend our Account Security help page. It is easier than you might think to create good passwords that are easy to remember.

Two-Factor Authentication

To improve account security further, Runbox will be launching two-factor authentication (2FA) in the near future.

With 2FA turned on you will need to provide both your username, password, and an additional piece of information to access Runbox and your account settings. And if you choose to use IMAP, POP, or SMTP, you will be given strong passwords to use.

In the meantime, if you have any questions about account security, please contact us at Runbox Support.

19 thoughts on “Account security and password strength”

  1. I am glad to hear that Runbox are finally looking to implement 2FA, but please do not add location / fraud script checks. – Such checks completely mess things up for people, like myself, who use VPN services for additional security. Also, please add YubiKey support as an option for 2FA.

  2. I’m looking forwarding to 2FA support from Runbox. I think it’s now the only 3rd-party service that I use which does not yet have this extra layer of protection in place.

    I hope that the implementation is not based on SMS, which has recently been announced as less secure than authenticator apps due to uncontrollable VoIP numbers masquerading as mobile numbers.

    You mentioned that with 2FA enabled, “you will be given strong passwords”… does this mean that Runbox will actually generate the passwords to use? Can this be similar to Apple’s “app-specific password” feature where each service has a separate one-time password generated? This is an extremely handy feature and limits the scope of any compromises significantly, although it does make configuration of apps more difficult. I’m not sure which way that Runbox will lean… ease of use, or stronger security. Can’t have it both ways, unfortunately, but through very good interface design, the user can be well-guided.

    I am surprised how long it’s taking to roll this feature out, though. We surely don’t want to see an embarrassing data breach while we wait. 🙂

    1. Our 2FA feature will have One Time Passwords, Timed One Time Passwords (via a standard app) and Application Specific Passwords that we will generate along the lines of Apple/Gmail as you mention.

      SMS has been asked for, but if we provide this option in the future it will of course be optional.

  3. I put my vote in for Yubikey. I really like this as a secondary authentication method. I also suggest not forcing users to use a certain numbers of symbols, numbers ,cases etc. I always find this infuriating as I use complex random passwords when I have to, but I prefer a passphrase using spaces instead of symbols. It’s been proven as a safe and effective way to create passwords, easy to type on a phone, tv, game system, etc.(most non PC devices you have to keep switching screens to find symbols). So please remove these restrictions and allow spaces in passphrase.

    1. Thanks for your comment. Yubikey is something we are looking at for the future. In the first instance we wanted to focus on options that have no additional cost for our customers.

      Regarding passphrases, yes, there are many people like yourself who are good at creating secure passphrases. However, evidence suggests there are many more accounts that are not secured with good passwords/passphrases and we have to also protect our system from those accounts being hijacked for the purpose of sending spam.

      When spammers do this the harm the reputation of Runbox for all customers, and we have to keep that in mind.

      We will discuss your suggestion though as it might be possible to accommodate it in the future.

  4. ” Our 2FA feature will have One Time Passwords, Timed One Time Passwords (via a standard app) and Application Specific Passwords that we will generate along the lines of Apple/Gmail as you mention. ”

    I do not have a smartphone, only an old clamshell Nokia model that can only receive sms.

    If I become a client of Runbox (because your login safety is now at last up-to-date), I require either to receive an sms on this clamshell phone, or being able to use a hardware handheld six digit number key generator, as I am now using for my banking access.

    The index finger sized hardware key generator fits in my jeans pocket, is attached to my car keys ring, has RSA encryption, generates a six digit password that is changed every minute, and is by far my preferred solution, even willing to pay a bit more to get such a fool proof solution.

    Now if Runbox can implement it fast, they will get a new customer.

  5. A few months have passed since this update–I hope two-factor authentication is still on schedule. Especially timed one-time passwords.

    1. We are hard at work deploying all the modified software that will be using the authentication service, and will post more soon!

  6. I’m a new customer and looking forward to 2FA being implemented. However, like Alain above I would also be much in favour of using a hardware solution such as Yubikey or a random password generator and not an application that will require a smartphone or has to run on a computer. Willing to pay more for it. In a pinch, sms-authentication would also do. I understand that a hardware-approach does not currently seem to be a viable option but would suggest examining it for the future.

  7. Firstly, I want to commend Runbox for the services they have provided me hassle free and uninterrupted. When I signed on a couple of years ago I asked this question about the availability of 2FA, and it was assured to me that this was a feature that was being considered, and in early development. Please guys, I love your services, but I cannot comfortably migrate over certain email addresses (banks, work, and professional) without having some (any) form of 2FA. So let me echo some other users, ideally for me I would be able to use a Google authenticator app, however, a different app based generator would be fine. Furthermore, Yubikey support would be brilliant, but I imagine the implementation to be a tad more complected.

    Anyways, please don’t read this as a negative. I love your services (and recently renewed for another 3 years) and I truly hope you guys enjoy what you do and make at least a sustainable profit off of this. Cause I want you to stay around for awhile!

    -Robert

  8. Enjoy your services and your commitment to safeguarding privacy. Would like to see yubikey/2fa added as an option. Thank you

  9. I like the Yubikey but it’s not cheap. Also remember that for a hardware based solution you should ideally purchase TWO devices so that you have a backup in case the primary device is lost or broken (arguably recovery codes may also be used.)

    The much better solution would be a FIDO Alliance U2F authenticator. Some of these devices are available for as little as USD 5. This is what I’m using with my Dropbox account. Please consider it.

  10. Yubikey is an implementation of Fido U2F. They are one of the core supporters of the technology. It would be fantastic if U2F support were added.

  11. Once again, Yubikey is not a protocol, it’s just a product sold by Yubico AB. Saying “Please support Yubikey” is meaningless because this product supports up to 5 completely different authentication protocols according to the model you purchase. These are:

    1) OATH-TOTP RFC6238, one-time passwords that typically last 30 seconds. E.g. Google Authenticator, Auth, etc).
    2) OATH-HOTP RFC4226, event-based one-time passwords. Very safe but with a tendency to go out-of-sync easily, requiring the use of a look ahead window.
    3) Yubico Cloud proprietary authentication service. Not recommended.
    4) HMAC-SHA1 Challenge Response RFC6287. Excellent.
    5) Fido Alliance U2F.

    By far the U2F solution is the easiest and the safest. The user has nothing to download or configure on his client, and there are no out-of-sync issues. The possibility of registering several tokens for the same remote server makes it very convenient in case a token is lost. The tokens are the cheapest to purchase for less than 10 Euros (HyperSecu, Plug-Up, Happlink, etc.) U2F is supported by Chrome and other Chromium based browsers, Firefox, Safari and Opera.

    HMAC-SHA1 C-R is a good runner up. However tokens are more expensive. And it does require the user to manually configure the set-up, and unlike U2F there must be a shared secret.

  12. I would like to add something here. TOTP, HOTP, HMAC C-R, U2F are all equally safe and effective authentication methods from a theoretical point-of-view. None is thought to be superior to the other.

    However when U2F was designed practical aspects were taken into consideration as well. For instance, what happens if the server itself is compromised and your login credentials are stolen?

    TOTP, HOTP, HMAC C-R all make use of a shared secret between the client and the server. If stolen this shared secret can easily be used to impersonify you.

    However U2F does not rely on shared secrets. If your U2F login credentials were stolen, all the attacker would end up with would be a public encryption key, a key handle, and possibly an encrypted private key (depending on the implementation). These are all useless to an attacker as the (clear) private key only lives on the U2F token secure element.

Leave a Reply

Your email address will not be published. Required fields are marked *