Password Security for Remote Workers: VPN, Home Networks, and More

The remote worker threat model

The office network, for all its imperfections, provided meaningful security guarantees: corporate firewall, managed devices, physical access controls, and IT staff who could respond to incidents. Remote work eliminates most of these. The threat model for a remote worker is fundamentally different from an office worker's:

• Home networks are shared with family members, smart devices, gaming consoles, and other systems over which the corporate IT team has no visibility
• Personal devices may have weaker security configurations, out-of-date software, and personal applications that are vectors for malware
• Work sessions happen alongside personal sessions in the same browser, the same device, the same network — blurring the security boundary
• Physical security is absent — shoulder surfing in cafes, shoulder surfing by family members, unattended unlocked screens
• IT response time to a security incident is measured in hours or days, not minutes

The credential implications: every credential you use for work is more exposed when you work remotely than when you work in an office. The compensating controls are primarily authentication-based — stronger credentials, MFA, and clear separation between work and personal accounts.

Home network security

Your home router is the perimeter between your work traffic and the internet. Default configurations on most home routers are inadequate for work-from-home use:

• Change the router admin password: The default admin credential for your router is the same as every other router of that model. If your router administration interface is accessible from your local network (it typically is), anyone on your network can access it with a Google search for the default password. Change it to a unique 20-character randomly generated password, stored in your password manager.
• Update router firmware: Router firmware updates patch security vulnerabilities. Most routers don't auto-update. Check your router's admin interface for firmware updates annually at minimum.
• Separate work from IoT devices: Smart TVs, cameras, thermostats, and other IoT devices often have poor security. A separate guest network or VLAN for IoT devices isolates them from your work devices.
• Use WPA3 if available: If your router supports WPA3, enable it for your primary network. If not, WPA2-AES is acceptable; WEP and WPA are not.
• Strong WiFi password: The password for your work WiFi network should be a minimum 20-character randomly generated string, not YourAddress2024!.

Personal devices for work (BYOD)

Using personal devices for work (BYOD — Bring Your Own Device) is common in remote work but creates credential risks that office environments don't have:

• Browser profiles: Use a separate browser profile (or a separate browser) for work. This prevents personal browser extensions from accessing work sessions, and prevents work cookies and sessions from being exposed if you visit a malicious site during personal browsing.
• Keep OS and software updated: Personal devices that accumulate updates are a common attack vector. Enable automatic OS updates.
• Device encryption: Enable full-disk encryption. On macOS, this is FileVault (System Preferences → Security & Privacy). On Windows, BitLocker. If the device is stolen, encryption prevents access to stored credentials and documents.
• Screen lock: Auto-lock after 5 minutes of inactivity. This is especially important in shared spaces or when you have family members around.
• Antivirus: On Windows, Windows Defender is adequate for most users. On macOS, the built-in XProtect combined with careful behaviour is sufficient — expensive commercial AV products add little on modern macOS.

Public WiFi and coffee shops

Public WiFi networks — cafes, airports, hotels, co-working spaces — should be treated as hostile networks for work purposes. Specific risks:

• Evil twin attacks: An attacker sets up a WiFi network named "Starbucks WiFi" or "Airport Free WiFi" that proxies traffic — allowing credential interception on non-HTTPS connections and session hijacking on poorly implemented HTTPS sites.
• Network sniffing: On unencrypted or weakly encrypted public networks, traffic can be observed by other network participants.
• Physical shoulder surfing: In busy public spaces, screens are visible to people behind and beside you. Password fields, MFA codes, and sensitive documents can be observed directly.

The mitigation: always use a VPN when on public WiFi. Your employer should provide one. If they don't, a personal VPN (Mullvad, ProtonVPN) is adequate for personal threat models — though it does not provide the network access controls of a corporate VPN. A cellular hotspot (personal hotspot from your phone) is preferable to public WiFi for sensitive work.

VPN authentication

Corporate VPNs are primary targets for credential attacks — a compromised VPN credential gives an attacker direct access to the internal network from anywhere in the world. VPN authentication deserves heightened security compared to other credentials:

• Your VPN password should be unique, long (≥ 20 characters), and stored in your password manager — never reused anywhere else
• MFA must be enabled for VPN access — if your employer hasn't required it, ask IT to enable it
• TOTP authenticator app or hardware key for VPN MFA — SMS OTP is the weakest acceptable option
• Never share VPN credentials with family members or give someone else access to your VPN session — your credentials are tied to your identity and audited
• Report immediately if you suspect your VPN credentials have been compromised — VPN credential compromise is a major incident, not a minor issue

Shared home devices

Working from home in a household with other adults or children creates credential risks that single-occupant offices don't have:

• Separate user accounts: If family members use your work computer, they should have their own user account — not access under your account. This prevents accidental access to work systems and credential exposure.
• Lock before walking away: Develop the habit of locking (Win+L or Cmd+Ctrl+Q on macOS) whenever you leave the keyboard — even to answer the door or get coffee.
• Password manager master password: Your password manager's master password should be something you have memorised and that family members (especially children) do not know. Consider using a passphrase that you don't write down anywhere in the home.
• Work documents and shared folders: Don't save work documents to shared family cloud storage (family Google Drive, Dropbox). Keep work documents in employer-provided or dedicated work storage.

Video conferencing credentials

Video conferencing accounts — Zoom, Teams, Google Meet, Webex — are a frequently underestimated credential risk. A compromised Zoom account can expose private meetings, recorded calls, and in some enterprise configurations, access to shared content and directories:

• Use a unique, strong password for your video conferencing account — separate from your corporate SSO where possible
• Enable MFA on your Zoom or conferencing account if not enforced by your employer's SSO
• Use waiting rooms for all meetings — this prevents uninvited participants from joining if a meeting link is shared
• Don't post meeting links publicly — especially for recurring meetings with consistent links
• Log out of video conferencing apps when not in use, particularly on devices shared with family members

Password manager for remote work

A password manager is the central tool for remote work credential security. The specific remote work benefits:

• Unique passwords for every system without memorisation burden — enabling the unique-credential requirement without cognitive overload
• Works across all devices — desktop, laptop, mobile — ensuring you have access to credentials when working from different locations
• Auto-fill reduces the risk of accidentally typing credentials into phishing sites (the password manager recognises the correct domain and won't fill on lookalike sites)
• Encrypted vault — if your device is lost or stolen, credentials are not exposed as plaintext

For remote workers: 1Password ($2.99/month individual, $4/user for teams) or Bitwarden (free individual plan) are the standard choices. If your employer provides a password manager, use it — and use a separate personal password manager for personal accounts to maintain separation.

Meeting your employer's expectations

Most employers have remote work security policies. Beyond the technical controls, the credential-specific obligations typically are:

• Don't share credentials with household members even for "just a minute"
• Report any suspected credential compromise to IT Security immediately — delays allow attackers more time in the network
• Use only employer-approved tools for work communication — personal WhatsApp for sensitive business communication is typically a policy violation
• Don't store work credentials in your personal password manager if your employer has a provided tool — this creates a separation between personal and corporate credential stores that your employer may require
• Complete required security training — remote work expands the attack surface, and most employer training covers the specific risks introduced by home environments