NordVPN launches password management solution NordPass
Disclosure: Ghacks may receive a referral fee if you click or buy any of the products featured here.
VPN provider NordVPN launched its password management solution NordPass recently after a prolonged early access test.
The solution is available for iOS and Android, and the browsers Chrome, Firefox, Opera and Microsoft Edge at the time of writing. Browser extensions require a companion app, called NordPass Background App that needs to be downloaded and installed on desktop devices. You may only use the extensions on desktop devices if the background application is running.
A free version is available that is limited to a single device. Users who need access to their data on multiple devices can install it on these devices and the data will be synced between these devices, but there will always be one active session at all times. Paid plans start at $2.49 for a 2-year subscription.
NordVPN promises that "all encryption and decryption" happens on the user's device. The service uses XChaCha20 encryption for the vault with Argon2 and zero-knowledge encryption. Any data that leaves the system is encrypted before it does so.
Users are asked to pick a master password during setup after they have entered their NordPass email address and verified the email. Access appears to be limited to NordPass customers at the time of writing or users who sign-up for a paid plan. A recovery code is displayed that may be used to recover access if the master password is lost.
Options to import passwords from various browsers and password management solutions is provided. NordPass supports imports from Chrome, Opera and Firefox, and numerous password managers such as KeePass, LastPass, 1Password, Dashlane, or BitWarden. Options to import data from CSV files are also available.
Customers may enable two-factor authentication in the account settings to add another layer of protection to the account; this is highly recommended for users of the service as a breach provides access to all saved passwords. NordPass' two-factor authentication solution works with popular authentication apps like Authy, Google Authenticator or Duo Mobile.
The password manager displays icons next to login fields; activation displays available logins and options to select these to sign-in to the service in question.
The service does not indicate to the user if logins are available for the particular site; neither the icon in the browser's address bar nor the icons in the password fields highlight that. You find out only after you click on the icon in the field.
Sign-ins are semi-automated. The service does not seem to support auto-logins into sites which means that you need to select an account manually and hit the log-in button each time you want to sign in. Some users prefer it that way because of added security, others will probably miss the auto-login option as it makes the process more convenient.
The service may be used to pick passwords for new accounts and password changes for existing accounts. Options to modify the parameters for generated passwords are not provided. New accounts and changes are picked up by the service automatically and are saved on user request.
Other features that NordPass supports:
- NordPass users may save notes and credit card information as well using the service.
- Password sharing.
Closing Words
If you look at NordPass and compare it to other password management solutions, you may come to the conclusion that the service is too expensive for what it offers. Even if you compare the free version, you may notice that it lacks in comparison to other applications.
My main gripes with the service are that it requires a background app if you use a browser extension, that it lacks critical settings, e.g. to change password generation parameters, and needs more polishing as well, e.g. an indicator that a login was found for the active site.
I can see this do well as part of a bundle with NordVPN but the service will have a hard time getting traction on its own because of the better, and often times cheaper, solutions that are out there.
Now You: What is your impression? Do you use a password management solution?
Is that free for existing NordVPN users?
Only NordVPN customers may use it currently for free (but the free version is the limited one).
Nice, so they can also leak all saved notes, credit card numbers and passwords when they get hacked next time.
Indeed I have sometimes wondered if these cheap VPN services are in reality honeypots for high-risk users.
@Harro Glööckler
LOL, IKR. i was thinking the exact same thing
I’m actually surprised they decided to launch that service now , i mean they picked the worst time ever for them to announce such a thing!
lmao, my thoughts exactly. Should be noted that NordVPN spends most of their money on advertising tgeir product rather than into their infrastructure. Horrible plan for a VPN company if you’re asking me. And the people responsible for this aren’t even that good at it:
https://www.youtube.com/watch?v=VrME4kn15rQ <- gets contacted by NordVPN rep
https://www.youtube.com/watch?v=G1thc5DSHwA <- followup after data breach
I can’t trust them because of the nord vpn hacked.
About “Hackers steal secret crypto keys for NordVPN. â€
https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/?utm_brand=ars
For that hoax, a verified article has been published.
NordVPN Hack – Everything You Need to Know (Updated Info) | restoreprivacy.com
https://restoreprivacy.com/nordvpn-hack/
October 23, 2019 By Sven Taylor
Summary of the article:
In March 2018, someone posted TLS certificates from NordVPN, TorGuard, and VikingVPN on 8chan. While the 2018 post seems to have fallen under the radar, the issue recently erupted on Twitter, which culminated in an article from TechCrunch alleging NordVPN had been “hackedâ€.
What could a hacker do with an expired TLS key?
This was an isolated case, and no other servers or datacenter providers we use have been affected.
Are NordVPN users compromised?
First, the hacker would not have any access to server logs because NordVPN is a no logs VPN provider that does not store anything on its servers. NordVPN passed a third-party audit by PricewaterhouseCoopers verifying its no-logs policy.
Second, NordVPN utilizes perfect forward secrecy, which generates a unique key for every session using ephemeral Diffie-Hellman keys. This means that even with a TLS key there’s little a hacker could even do, since the keys are used for server authentication and not traffic encryption.
The impact for NordVPN users is essentially null.
NordVPN is already one of the few VPN providers that have undergone a full third-party audit to verify their no-logs claims. This audit was completed in November 2018 and it appears a second audit is currently underway.
Additionally, NordVPN has told me they will reconfigure their server network to run in RAM-disk mode only. This indeed is a more secure setup over traditional hard drives as nothing can be stored on the server. Perfect Privacy runs their network this way and ExpressVPN has also transitioned to running all servers in RAM-disk, which they call the TrustedServer feature.
TechCrunch is a media outlet owned by Verizon, which also has a VPN service called “Safe Wi-Fiâ€. In this article you can see TechCrunch promoting Verizon’s VPN service, which is a direct competitor of NordVPN. This may explain why TechCrunch suddenly announced the “NordVPN hack†with such fanfare.
People appear to be somewhat divided on the issue. Some argue this shouldn’t even be called a “hack†as it involved an expired TLS key on a single server in Finland with no access to user data or traffic. Others are following the tune of TechCrunch and denouncing NordVPN.
NordVPN’s problem is that they took months to identify the issue, and even more months to disclose it to their customers. Also, isn’t RestorePrivacy part of Nord’s affiliate program?
I wouldn’t be that harsh on the whole brand. No user was affected by the breach and actually they did a pretty good job explaining everything and going publicly about it. Most of the companies would have denied such failure. Also, if you look into the features of their new product – NordPass, you may notice, that the company is using the most advanced security encryptions. So, they are really making an effort to create a quality service that actually protects your cybersecurity.
Is anyone actually storing credit card numbers in password managers? Sounds like a smart move … Anyway, one (or a few?) of their VPN servers being compromised does not mean anyone has unauthorized access to user’s login credentials, as I presume you already know. That said, I don’t get why NordVPN thought they should jump into this market as well, since there are quite some contenders already …
So the latest anti-privacy gold rush is password managers now. Let’s gather them locally with all the security risks it entails, cloud them, send partial data about them by default to online “security” services like HIBP. And now, apparently, any shady VPN company should be entrusted with all our passwords. Is the app even free software ?
And we’re supposed to pay for that, too ? And not $2.49 for two years, it’s per month, you start paying $60 for a 2 years subscription. Twice more without the discount. Hardly believable.
I avoid browser extensions that require a companion app, in this case NordPass’ Background App.
I avoid managing passwords with whatever extension or application connected to the Web, hence no multi-device password management.
I use the browser’s password manager and avoid as well its Sync feature, but sensitive credentials are not included (copy/pasted from a non-connected desktop application).
Of course should I use hundreds of passwords and many devices that I’d consider things differently. At this time, reading what this NordVPN password Manager offers (a free joke or a too expensive paid version considering the features) I’d likely opt for another solution, even paid.
I am a long-time user of NordVPN and I trust NordVPN, but in password management, limited to KeePass Password Safe and no other options can be considered.
The principle of risk management is decentralized management.
It is not possible to entrust important personal information and passwords to the same operating company or application.
At least “cloud†management does not become a candidate.
First, Nord seriously needs to work on restoring users faith into their security. They already had breach in one of their data centers and didn’t bother disclosing it for years. So why exactly should users trust them with their passwords I add beyond me, especially since security and good practices are far below advertising on their priority list. Just saying.
I’m using Roboform. I know it’s not what the cool kids use but it has worked well for me for the past decade. It has a couple of good features: safenotes is quite useful
I’d rather use a bitwarden. Freeish (open source), multiplatform and it lets me choose where to keep my data.