The following news are relevant for those who use NordVPN on their routers or connect to NordVPN servers through third-party apps, such as the OpenVPN app.
Please bear in mind that from June 14th, 2023, you will no longer be able to use your NordVPN email/username and password to authenticate your connection (This does not affect the native NordVPN app).
Instead, you will have to use service credentials, which can be found on the Nord Account dashboard:
- Click Set up NordVPN manually.
- You will receive a verification code in your email that you use for NordVPN services. Type the code in:
- Copy the credentials using the “Copy” buttons on the right:
Why is this change happening?
By requiring to use the service credentials across third-party apps, we increase our customer security by decreasing the chances of a successful Enumeration Attack. To briefly explain what kind of attack that is, consider the following: when logging into a third-party app, based on the correctness of the provided credentials, the app may react differently. For instance, if your password is correct, but your username isn't, the app may take slightly longer to identify such a mismatch than vice versa (username would be correct but not the password).
Such knowledge might potentially be useful for hackers if, for example, they have a database of stolen usernames and passwords and want to check if specific usernames are registered. Hackers can attempt to enter the credentials they have into the login field and check if there is any difference in how the app reacts to mismatches, e.g. how long does it take for an app to prompt a response. When the pattern is established, it is possible to find out what usernames are registered with the service, which allows further breaking into the account by pairing relevant usernames against various known passwords. However, when service credentials are used, any such discrepancies are made close to impossible to detect, which significantly improves general security.