The tools millions of people rely on to protect their privacy online are, in several cases, failing to enforce the most basic safeguards on their own front doors. An analysis of 25 VPN services found that at least seven accept passwords as trivially weak as "password" or "12345678" - credentials that any competent attack would crack within seconds. For an industry that markets itself on the premise of security, the findings are difficult to overlook.
What the Testing Revealed
The methodology was straightforward. Accounts were created across 25 VPN providers, with four test passwords entered at sign-up: "password", "12345678", "1234pass", and "@1234567". Researchers recorded whether each provider displayed password rules, enforced those rules, and offered two-factor authentication (2FA) as an additional layer of protection.
Four VPNs stood out as the most exposed - FastestVPN, Hotspot Shield, OysterVPN, and ZoogVPN - because they not only accepted all four weak test passwords but offered no 2FA whatsoever. With no complexity requirements and no secondary verification, accounts with these providers rest on a single, easily compromised credential. Hotspot Shield's only rule was a minimum of six characters. ZoogVPN required at least six characters but failed to communicate this clearly until users had already begun typing. FastestVPN and OysterVPN required eight characters at minimum, but nothing more.
Three additional providers - AirVPN, CactusVPN, and TorGuard - accepted at least one weak test password, though each does support 2FA, which partially compensates for the lax entry requirements. CactusVPN set no lower limit whatsoever: a single character was accepted as a valid password.
The Best Performers and Where Top Names Fell Short
Among the five VPNs evaluated from a leading best-VPN shortlist - NordVPN, Surfshark, ExpressVPN, Proton VPN, and Private Internet Access (PIA) - results were mixed.
Surfshark was the most rigorous. It enforces six distinct rules requiring at minimum eight characters, at least one uppercase letter, one lowercase letter, one number, and one symbol. Crucially, it also runs a breach-check against known compromised password databases, meaning that technically compliant but commonly exposed combinations - such as "@Password1" - are still rejected. All four test passwords were blocked with clear explanations. 2FA is supported.
NordVPN and PIA both enforced standard multi-rule requirements covering character length, case variation, and numbers, with NordVPN also requiring a symbol. Both blocked all test passwords and support 2FA. PureVPN and PrivadoVPN, outside the top-five group, also performed strongly - enforcing four and six rules respectively, blocking all weak passwords, and providing clear feedback on exactly which requirements were unmet.
Proton VPN was the most notable disappointment given its strong reputation for privacy. The provider warns users about vulnerable passwords, offers detailed suggestions, and even includes a built-in password generator and 2FA support. But none of the advice is enforced. The only hard requirement is a minimum of eight characters, meaning "password" and "12345678" are both accepted without objection. Guidance without enforcement is, in practice, optional - and most users will not act on warnings they are free to ignore.
ExpressVPN presented a different profile. It blocks the weakest test passwords, supports 2FA, and frequently replaces password entry with a one-time code sent to a registered email address - a valid alternative approach to account security. However, it accepted "@1234567" due to an absence of letter requirements, and its rules overall were thinner than the stronger performers in this analysis.
Why This Matters Beyond Individual Risk
Weak passwords are not merely an inconvenience - they are the most consistently exploited entry point in account-level attacks. Credential stuffing, where lists of previously leaked username-and-password combinations are automatically tested across services, is widespread and largely automated. A VPN account secured by "12345678" is not meaningfully protected at all.
The irony runs deeper for this particular industry. VPN providers actively market privacy and security as their core value proposition. Users choose these services specifically because they want to reduce their exposure online. Discovering that the account protecting access to those privacy tools can itself be opened with a six-character dictionary word undermines the entire premise.
Password rules are not technically complex to implement. Requiring a minimum length, enforcing character variety, and checking entries against known breach databases are all standard, well-established practices. The gap between providers in this analysis is not a question of technical capability - it reflects a difference in how seriously each provider treats user account security as part of its responsibility.
What Users Can Do Now
Regardless of what a provider allows, users retain control over the credentials they choose. A few principles apply universally:
- Use a password that is at least 12 characters long, combining uppercase and lowercase letters, numbers, and symbols.
- Never reuse passwords across services - a breach at one provider should not compromise accounts elsewhere.
- Enable 2FA wherever it is offered. Even a weak password becomes significantly harder to exploit when a second verification step is required.
- Use a reputable password manager to generate and store complex, unique credentials for every account.
The burden should not fall entirely on users. Providers that permit weak passwords are making an active choice - and in the context of services sold explicitly on the basis of security, that choice reflects a meaningful gap between marketing and practice. Until enforcement catches up with reputation, the responsibility sits with both sides of the login screen.
