In the world of online security, where VPNs are often hailed as champions of privacy and safety, a recent analysis by Tom's Guide has revealed a concerning trend: many top VPN services fail basic password security tests, leaving users vulnerable to potential breaches. This investigation highlights the importance of stringent password policies and the need for VPN providers to prioritize user account security.
The Weakest Links
Among the 25 VPNs tested, four stood out as the biggest offenders in terms of password security. These VPNs, including FastestVPN, Hotspot Shield, OysterVPN, and ZoogVPN, allowed users to sign up with incredibly weak and easily guessable passwords, such as 'password' and '12345678'. What's more, none of these services offered 2-factor authentication (2FA), a crucial additional layer of security.
FastestVPN and OysterVPN, for instance, had no password rules at all, allowing any password to be used. Hotspot Shield's password rule was a mere six-character minimum, and ZoogVPN's rule was a five-character minimum, both of which were easily bypassed with the test passwords.
The Best of the Best
On the other hand, some VPNs excelled in password security. Surfshark, for instance, enforced six robust rules, including a minimum of eight characters, one uppercase letter, one lowercase letter, one number, and one symbol. It also conducted a 'non-breached password' check, ensuring that common passwords with minor alterations are blocked. This level of security is commendable, and Surfshark's support for 2FA further enhances its credibility.
NordVPN and Private Internet Access (PIA) also enforced standard password rules, with a minimum of eight characters and the inclusion of numbers, lowercase and uppercase letters, and symbols. They both supported 2FA and blocked the test passwords, demonstrating a strong commitment to user security.
Room for Improvement
ExpressVPN, while offering a 124-character limit and 2FA, failed to enforce as many rules as desired. It required passwords to be between eight and 124 characters and include at least one symbol, but it didn't mandate letter and number requirements. This allowed passwords like '@1234567' to be accepted, highlighting a potential vulnerability.
Proton VPN, despite offering a secure password generator and 2FA, was a disappointment. It only required a minimum eight-character length, and both 'password' and '12345678' were accepted. While it provides excellent advice, the lack of enforced rules leaves users vulnerable.
Top Performers
PureVPN and PrivadoVPN stood out for their comprehensive password rules. PureVPN enforced four rules, including an 8-52 character limit, a mixture of uppercase and lowercase letters, a mixture of letters and numbers, and the inclusion of at least one special character. PrivadoVPN, on the other hand, had six rules, ensuring a minimum of eight characters, one uppercase or lowercase letter, one number, and one special character from a specific list of symbols. Both VPNs provided secure password generators and supported 2FA.
The Takeaway
This analysis underscores the importance of stringent password policies in the VPN industry. While some providers excel in security, others fall short, leaving users at risk. As consumers, we must demand and expect robust password security from our VPN services. It is crucial to protect our online accounts with complex, secure passwords, and VPN providers should lead by example, implementing and enforcing strong password rules to safeguard their users' data and privacy.
