ExpressVPN has quietly changed the terms of its built-in password manager, ExpressKeys - formerly branded as ExpressVPN Keys - cutting off free access for users whose subscriptions have lapsed. Where legacy users could previously continue generating and storing passwords at no cost, they can now only view existing data. Nothing new can be added. For anyone relying on ExpressKeys as a standalone tool, the message is clear: pay up or move on.
What Changed and Why It Matters
Password managers occupy a deceptively critical role in personal digital security. A good one generates complex, unique credentials for every account, stores them encrypted, and retrieves them instantly. A locked or degraded password manager, by contrast, creates a quiet but genuine risk: users either reuse weak passwords, write them down, or simply lose track of their credentials altogether.
ExpressVPN's decision to restrict ExpressKeys behind an active subscription is commercially logical. The company built the tool as a value-add for VPN subscribers, not as a free standalone product. But the change lands awkwardly for users who had come to depend on it - particularly those who cancelled their VPN subscription while keeping ExpressKeys in active use. The shift from "accessible but limited" to "effectively locked" is a meaningful downgrade, and one that arrived without extensive advance notice to users.
The practical consequence is straightforward: if you are a legacy ExpressKeys user, your stored passwords are still readable, but the manager has become a read-only archive. That is not a functional password manager. It is a liability waiting to grow stale.
How to Export Your Data Before Switching
The exit process is manageable, though it requires attention. ExpressKeys allows users to export all stored data - passwords, logins, secure notes, credit card details, and authenticators - through either its mobile app or its desktop browser extension for Chrome. Both routes work, but they differ meaningfully in security and convenience.
Exporting via mobile produces an encrypted ZIP file, password-protected at the time of export. That added layer of encryption means the file is not immediately readable if intercepted or accidentally shared. Exporting via desktop produces a plain CSV file - unencrypted by default - which is considerably more vulnerable. Anyone who opens that file sees everything in full. For that reason, desktop exports should never be performed on shared or workplace machines, and the resulting file should be handled with care and deleted promptly after import.
The reason to favour desktop export, despite its lower security, is practical: most password managers prompt users to import data via a web browser interface, not through a mobile app. Transferring an encrypted ZIP from a phone to a browser-based import tool adds unnecessary friction. Desktop export to CSV, while less protected in transit, is simply easier to work with when importing into a new service.
- Mobile export: encrypted ZIP file, password-protected, more secure in transit
- Desktop export: plain CSV file, unencrypted, easier to import elsewhere
- Both methods export passwords, logins, secure notes, credit cards, and authenticators
- Your vault password is required for both - contact ExpressVPN support if it is lost
Choosing a Replacement Password Manager
The password manager market is well-populated with capable alternatives, including services from established security-focused companies. Two options with direct relevance to VPN users are Proton Pass, from the team behind Proton VPN, and NordPass, developed alongside NordVPN. Both are credible choices with solid security architecture.
In practice, however, they handle imported data differently. NordPass, when importing from a spreadsheet or CSV, may only carry across core credential fields such as email and password, leaving secure notes and credit card data behind. Proton Pass handles a broader range of data types during import, making it the more complete option for users migrating a full vault. This is worth verifying before committing to either, as import compatibility can vary depending on how the originating app formats its export file.
Neither service is uniquely tied to a VPN subscription, which means they function independently of whatever VPN you use going forward - an important consideration if part of the reason for leaving ExpressVPN is cost or preference.
The Broader Lesson in Password Manager Lock-In
ExpressVPN's decision is a useful reminder that password managers bundled with another subscription carry an inherent vulnerability: their continued availability depends on you maintaining the primary product. Standalone password managers, by contrast, exist solely to manage credentials - their business model is not contingent on upselling you a VPN or any other service.
For users who store sensitive financial data, two-factor authentication codes, and login credentials for dozens of accounts in a single vault, the continuity of that vault is not a minor convenience - it is a security dependency. Tying that dependency to a subscription product that you might cancel for unrelated reasons introduces a fragility that standalone tools avoid.
Whether you return to ExpressVPN or move to an independent password manager, the priority is the same: your credentials should be stored in a system that works fully, is actively maintained, and does not hold your data hostage to a commercial relationship you may not wish to sustain indefinitely.
