SECURITYJuly 13, 2025·9 min read

Password Security for Remote Work in 2025: The Threat Landscape Has Changed

Remote work expanded the attack surface. VPNs, home routers, personal devices — here is the updated threat model and what to do about it.

How the threat landscape changed after 2020

The mass shift to remote work in 2020 created a security transformation that many organisations still haven't fully addressed. Pre-2020, the perimeter model worked reasonably well: employee devices were on a managed corporate network, VPN was an edge case, and most authentication happened inside the firewall. Post-2020, everything is a remote access scenario.

The credential threat surface expanded dramatically: home networks with consumer routers, personal devices with work accounts, VPN fatigue leading to workarounds, shadow IT proliferating because corporate tools were too slow for remote work.

The home network problem

Home routers run old firmware with known vulnerabilities. Home networks have untrusted devices — smart TVs, IoT devices, family member phones — that can intercept or expose traffic. The employee working from home has essentially no network security compared to a managed corporate environment.

Controls that address this: VPN for all corporate access (with MFA, not just a certificate), endpoint detection on managed devices, and zero-trust network access (ZTNA) architecture for organisations ready to invest in it.

Personal device credential hygiene

When employees use personal devices for work — even just checking email — those devices should have the same credential security as corporate devices. In practice, this means:

  • Password manager installed on personal devices used for work
  • Work credentials stored in a separate, work-specific vault
  • MFA on all work accounts, with separate TOTP accounts from personal ones where possible
  • No sharing of work credentials with family members or between devices without proper sharing mechanisms

The VPN fatigue problem

Mandatory VPN for all remote access creates friction. Employees work around friction. Shadow IT grows when corporate tools are too slow. The security answer isn't to make VPN mandatory for everything — it's to use conditional access policies that require stronger authentication for sensitive systems, not a blanket VPN gate for all access.

Password policy for distributed teams

Remote teams need explicit written policy covering: which systems require VPN, MFA requirements by system type, approved tools for credential sharing (not Slack), and incident response steps if a credential is compromised. Use PassGeni's Policy Generator to create a documented policy that covers remote work scenarios.

Key topics
remote work securityVPNhome networkcredential riskBYOD
Was this post useful?
Frequently asked questions

Questions about this topic

Are home networks a significant security risk for remote workers?

+

Should remote employees use personal devices for work?

+

What is MFA fatigue and how does it affect remote workers?

+
More posts

Related reading

Passkeys vs Passwords in 2025: Is the Password Era Actually Over?

7 min read →

Dictionary Attack vs Brute Force: What's the Difference?

6 min read →

What Actually Happens After a Data Breach: A Timeline

8 min read →