We've all heard the warnings countless times that using the same password in multiple locations is a cardinal sin, yet many still do. What's even more worrying is that in a new study, it seems that millions of people have been using duplicate passwords for their VPN. That's an absolute no-no.
The results of the study by Swedish password manager and authentication provider Specops show that many users of the top VPN providers have had their passwords compromised. Even if you have one of the best VPNs in the world, using a duplicate password is akin to having an almost impenetrable castle, and then leaving the backdoor unlocked.
With access to your VPN account credentials, hackers may be able to disable all of the protection that you get from using an encrypted connection, and even plant malware or steal sensitive data from restricted networks only accessible with the VPN. Given a lot of VPNs are used on work computers, that could be a nightmare.
Poor password habits
The research reveals that over 2 million VPN passwords have been compromised over the past year, with the most passwords coming from the top consumer VPN providers. This makes sense, it's a lot easier to steal passwords through keyloggers and the like than it is to hack the most secure VPN services themselves.
Of course, the best way to stop this kind of fraud happening is to use secure passwords and one of the best password managers, but sadly it seems people still don't. A 2024 Google poll found that 52% of Americans used the same password in multiple places.
Of the more than 2,000,000 passwords stolen, the most popular were the usual suspects. Over 5,000 people used '123456' while the five next most popular passwords also consisted entirely of consecutive number strings. 554 people even used just 'password', for shame.
The price of popularity
As mentioned, some large VPN providers had a lot of users with compromised passwords. That makes sense as their larger customer base makes for a target-rich environment.
| Provider | Number of compromised passwords |
|---|---|
| Proton VPN | 1,306,229 |
| ExpressVPN | 94,772 |
| NordVPN | 94,772 |
Of the 2.1 million VPN passwords compromised, a huge 1.3 million were from Proton VPN, with 98,000 from ExpressVPN and 89,000 from NordVPN. But as I mentioned, that's not to say these services are insecure. It is in fact a comment on the security of these services that it is the human element (the choice of passwords) that hackers are preying on.
So why is Proton VPN by far the most represented provider in the list of victims? Well, that's because it offers one of the best free VPNs, giving it a massive amount of users.
In short, this research shows that no matter how effective your privacy software is, that means nothing if you're not using a unique password.
