Popular virtual private network (VPN) company NordVPN officially launched its NordPass password management app in general availability this week, five months after introducing the service under an early access program.
The launch shows how one of the biggest consumer brands in the online privacy space is diversifying to capitalize on increasing data privacy concerns. It also comes as password protection and management services are gaining steam, due in large part to the flood of high-profile data breaches in recent years, with poor password hygiene cited as a leading cause.
NordVPN was founded back in 2012 and has grown to become one of the most popular VPN brands around the world, claiming some 12 million users globally. After the Hong Kong protests kicked off earlier this year, NordVPN reportedly became the most downloaded app across the region, spurred by reports that the government might start blocking key digital services, such as social networks, much the way Mainland China controls the flow of online information.
But NordVPN also faced controversy after reports last month detailed how hackers had breached one of its servers, potentially gaining access to encryption keys, though it’s not clear whether any damage occurred (beyond injury to the company’s reputation). Two weeks later, a separate report found that thousands of NordVPN users had fallen victim to credential-stuffing attacks that led to unauthorized access of their NordVPN accounts. There was nothing to indicate that this was related to the earlier server breach, however — it was most likely due to end users choosing basic passwords and reusing them across multiple online services. A breach of just one of those services potentially compromises each of the other accounts that use the same email and password combination. This type of breach is just one reason password management apps are in such demand.
Poor password hygiene is a major driving force behind security breaches — particularly in businesses, where 81% of all breaches are said to be due to compromised passwords. Password management services aim to cut this problem off at the root by encouraging automatically-generated “unguessable,” passwords that are unique to each online service, negating the need for users to memorize or write them down.
Global demand for password management solutions in mobile devices amounted to $113.3 million in 2016, according to a report last year from Grand View Research, which estimates the figure will rise to more than $2 billion by 2025. Much of this growth will come from the enterprise, of course, but habits from the workforce often spill over into everyday life. And as data breaches continue to impact more consumers, demand for password protection and management services across the spectrum will likely rise.
Judging from activity across the password management landscape this past year, we’re already seeing evidence of this trend. Back in February, Google launched its Password Checkup Chrome extension that warns users if their login credentials for any website have been involved in a data dump from other services. And Mozilla launched its Firefox Lockbox service for Android users, enabling them to log into native mobile apps using passwords that are already stored in their Firefox browser.
Elsewhere, password management stalwart 1Password recently raised a gargantuan $200 million series A round — the first outside funding in its 14-year history — to scale its service in the enterprise. This came just a few months after rival Dashlane raised $110 million to grow its service in both the consumer and enterprise realms.
It’s against this backdrop that NordVPN officially unveiled NordPass this week.
“Some find passwords unimportant; some tend to save their imagination for different tasks,” said NordVPN communications head Ruby Gonzalez. “Others have problems with remembering difficult combinations of letters and numbers. We all have been there, and that’s why we came up with NordPass.”
It has been a busy few months for NordVPN, as the company has also brought two other notable products to market. A few weeks back, it launched a file encryption tool called NordLocker, and in September it rolled out a new VPN service aimed specifically at businesses, called NordVPN Teams.
NordPass fits neatly into NordVPN’s broader push — with more than 10 years of reputation-building in the VPN realm, the company is striving to capitalize on brand recognition in all manner of privacy-focused verticals. An estimated 300 billion passwords will be in operation globally by 2020, according to some estimates, which means all the big privacy players have a chance to get their piece of the pie.
In terms of NordVPN’s specific proposition, a basic free version works with a single device, but unlocking multi-device support and other features requires a subscription ranging from $2.49 to $4.99 per month, depending on the length of your commitment.
NordPass sports most of the same features as other password management services, including cross-platform support enabled by iOS and Android apps, in addition to browser extensions for Firefox, Chrome, Edge, Opera, Brave, and Vivaldi. It also promises “zero-knowledge” architecture, two-factor authentication, the ability to store other data forms — such as notes and credit cards — and more. And NordVPN touts its “top-of-the-field” XChaCha20 encryption — used by the likes of Google and Cloudflare — for its password vault, and Argon 2 for key derivation.
“Password information belongs to users only — that’s why our product has zero-knowledge encryption,” Gonzalez added. “By the time your data reaches our servers, it’s already been encrypted on your device. That means we have zero knowledge about the items saved in your vault.”