New research proves how important it is to use unique passwords – especially for your VPN

A Padlock on a keyboard
(Image credit: Alamy)

We've all heard the warnings countless times that using the same password in multiple locations is a cardinal sin, yet many still do. What's even more worrying is that in a new study, it seems that millions of people have been using duplicate passwords for their VPN. That's an absolute no-no. 

The results of the study by Swedish password manager and authentication provider Specops show that many users of the top VPN providers have had their passwords compromised. Even if you have one of the best VPNs in the world, using a duplicate password is akin to having an almost impenetrable castle, and then leaving the backdoor unlocked. 

With access to your VPN account credentials, hackers may be able to disable all of the protection that you get from using an encrypted connection, and even plant malware or steal sensitive data from restricted networks only accessible with the VPN. Given a lot of VPNs are used on work computers, that could be a nightmare. 

Poor password habits

The research reveals that over 2 million VPN passwords have been compromised over the past year, with the most passwords coming from the top consumer VPN providers. This makes sense, it's a lot easier to steal passwords through keyloggers and the like than it is to hack the most secure VPN services themselves.

A hand types on a laptop keyboard while the word PASSWORD and a login field are superimposed.

(Image credit: Daniel Chetroni/Shutterstock)

Of course, the best way to stop this kind of fraud happening is to use secure passwords and one of the best password managers, but sadly it seems people still don't. A 2024 Google poll found that 52% of Americans used the same password in multiple places. 

Of the more than 2,000,000 passwords stolen, the most popular were the usual suspects. Over 5,000 people used '123456' while the five next most popular passwords also consisted entirely of consecutive number strings. 554 people even used just 'password', for shame. 

The price of popularity 

As mentioned, some large VPN providers had a lot of users with compromised passwords. That makes sense as their larger customer base makes for a target-rich environment. 

Swipe to scroll horizontally
ProviderNumber of compromised passwords
Proton VPN1,306,229
ExpressVPN 94,772
NordVPN94,772

Of the 2.1 million VPN passwords compromised, a huge 1.3 million were from Proton VPN, with 98,000 from ExpressVPN and 89,000 from NordVPN. But as I mentioned, that's not to say these services are insecure. It is in fact a comment on the security of these services that it is the human element (the choice of passwords) that hackers are preying on. 

So why is Proton VPN by far the most represented provider in the list of victims? Well, that's because it offers one of the best free VPNs, giving it a massive amount of users. 

In short, this research shows that no matter how effective your privacy software is, that means nothing if you're not using a unique password.

Andy Sansom
Staff Writer – VPN

Andy is Tom's Guide Staff Writer for VPNs and privacy. Based in the UK, he originally cut his teeth at Tom's Guide as a Trainee Writer (go and click on his articles!) before moving to cover all things Tech and streaming at T3. He's now back at Tom's Guide to keep you safe online, and bring you the latest news in VPN and cybersecurity.