I’ll start off by saying I am a long-time NordVPN user and I love the app/service on both PC and mobile. Today I decided to try NordPass Premium as an alternative to my current password manager service. Within 20 minutes of starting the free NordPass Premium trial, I spotted 2 major issues with how they have the NordPass service set up, both of which are deal-breakers. I’m hoping someone out there might have the solution. Here they are:
Issue 1: Let’s say you have NordPass installed on a device - say a browser extension on your PC. If you were to click “log out” on the extension, then you must log back into the extension with your NordAccount Credentials before you can then use your master password to unlock your NordPass vault. Well 2 guesses where responsible users choose keep their hard to guess passwords for important services like Nord… IN THE NORDPASS VAULT. This puts the user in the Catch22 where to access their vault they first need to log into the app/extension using their NordAccount credentials, but can’t log in to the app/extension because their NordAccount credentials are in their vault.
Issue 2: The craziest one - You can’t force the NordPass app or browser extension to ask for MFA every time you log in with your master password, if you are also running NordVPN on that device. I’m guessing a large percentage of NordPass users also use NordVPN - an app that most users set to load automatically on computer/device startup and that does not ask for NordAccount login credentials once it is first set up on the device. As long as NordVPN is running on your PC or mobile device, then it doesn’t ask for MFA to log into your NordPass vault. So if someone steals your PC or phone for example, and that same device uses NordVPN, there is no MFA check - all that is required is your master password! This is such a major flaw that I couldn’t believe Nord would have their product set up like this. As a result I no longer consider NordPass a viable password manager option, and I’m surprised that there is no option to always ask for MFA upon login to the NordPass Vault.
I already did a support call on NordPass help chat to confirm these, but I’d love for someone to prove me wrong so I can keep using NordPass.
I use MFA with an authenticator app and nord pass without issue. It’s in the set up settings
Also are you saying you want nord pass to store and auto fill it’s own master password? What would be the point of a master password?
I believe you misread my post. I have MFA set up properly as part of my Nord Account. What I’m saying is that I’d like it to prompt me for my MFA token code every time I log into NordPass, however this is not an available feature.
I’m not saying I want NordPass to store its own master password. I’m saying that if you mistakenly log out of the app, it requires you to log into your normal Nord account (using you email address/regular Nord account password, let’s call that Credentials1). Only then can you use the app and enter your Master password (let’s call that Credential2) to unlock your vault. However if you have your regular Nord Account credentials stored in NordPass, then you are stuck needing to enter Credential 2 in order to access Credential 1 from your vault to install the app.
This post/comment has been removed because it does not meet our karma requirements.
If this post is not spam, please contact the moderators for assistance.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
What use case do you need to MFA more than every 10 min?
I’m saying that despite MFA being set up, it NEVER asks me for my MFA token code on my pc or phone. I mean never. Does yours ask you every time you log in?
What signout interval did you choose?
It is set to 15 minutes. It times out properly after that time, and my master password is required to log back in. However if you read my original post (in which I describe not only the issue but my specific scenario), the issue is the fact that it doesn’t ever ask for my MFA token in addition to the master password, despite having MFA enabled and a token set up properly.
When your signout interval has passed and you have to re-enter your master password, does it ask for your MFA token? This is what I am looking for (again, see my original post).
Thanks.
Tell me to read your original post one more time. Really doesn’t make you sound snotty
people who struggle with basic software configuration rarely have the necessary understanding to describe the problem accurately.
The OP asks a very valid question. I have no idea of the answer, as i am searching online to see what service to use that will work best with Brave. I am not sure what the comprehension problem is. There are two separate passwords to login. The OP said this very very very very inescapably clearly.
Then a second reply was, basically “why”. Who cares why a user needs to do what they do? They wish it done. Either someone knows or they do not.
“people who struggle with basic software configuration rarely have the necessary understanding to describe the problem accurately.”
People who struggle with basic human interaction rarely have the necessary understanding to communicate in a way that people prefer and come across as a human being. How bout that?
I am an IT Engineer and I completely understood his issue by reading the post. The MFA thing doesn’t affect me much as I do not have NordVPN on many devices. However, I found the Catch22 problem a constant PITA. And, while I don’t like it, I understand the justification behind it. Say you have A Family Plan for NordPass. So I have other people in my family that use NordVPN. They have the password for the Nord Account, but not my vault password. It is a failsafe, but I do find that clunky.
At any rate, you and your comments makes me believe that if you are an IT, you are a developer. Because those are the kinds of things developers say. Developers really are in their own plane of IT.
Snotty begets snotty, fedora.