A password manager that ExpressVPN once promised would remain usable after cancellation has quietly had that promise walked back. The company revised its terms of service to restrict non-subscribers from adding new credentials to ExpressKeys, effectively converting what was marketed as a durable benefit into a limited read-only archive. The change appears to have been introduced after September, though ExpressVPN has not publicly confirmed a precise date or explained the reasoning behind it.
What the Updated Terms Actually Mean for Users
The distinction between "access" and "full use" is where the policy change bites. Under the new terms, former subscribers can still view passwords already stored in ExpressKeys. What they can no longer do is add new login credentials. For a password manager, that restriction is not a minor inconvenience - it is a fundamental limitation that makes the tool unsuitable as a primary credential vault.
Password managers earn their place in daily digital life precisely because they handle the ongoing work of credential management: generating strong, unique passwords when users create new accounts, storing updated credentials after a security incident forces a password reset, and reducing the temptation to reuse weak passwords across services. Strip away the ability to add new entries, and what remains is a static record - useful for retrieving old passwords, but incapable of supporting the security habits the tool was designed to build.
There is a second restriction embedded in the updated policy that is arguably more severe. Users who never activated the standalone version of ExpressKeys while their VPN subscription was still active will lose access to the feature entirely once their plan lapses. This creates an asymmetry where the least engaged users - those who may not have known a separate activation step was required - face the harshest outcome.
A Quiet Reversal of an Original Commitment
When ExpressKeys launched, it was positioned as a lasting benefit of the ExpressVPN ecosystem, not a feature that would expire alongside the subscription. That framing was part of its appeal: users who invested time in migrating credentials to the platform had reasonable cause to believe the investment would hold its value even if they eventually stopped paying for the VPN itself.
The revision follows an earlier adjustment in which ExpressKeys was moved from a broadly available feature to one restricted to higher-tier subscription plans. Taken together, the two changes describe a deliberate tightening of access - first limiting who can acquire the feature, and now limiting what former users can do with it. The cumulative effect is to bind the password manager more tightly to an active, paying relationship with the company.
ExpressVPN has not issued a public statement explaining what prompted the shift. The absence of an announcement means that most affected users are likely to discover the restriction at the worst possible moment - when they actually need to save a new password and find they cannot.
The Broader Risk of Bundled Security Tools
The ExpressKeys situation illustrates a structural tension that runs through bundled security products more broadly. Password managers and VPNs serve different functions and operate on different usage cycles. A VPN is a recurring service; users pay for continuous access to a network. A password manager is closer to a personal data store - one that accumulates value over time and becomes harder to abandon as the number of stored entries grows.
When these two categories are fused into a single subscription, the user's credential data becomes entangled with a commercial relationship. That creates risk. If the subscription lapses - whether by choice, financial pressure, or dissatisfaction with the VPN service itself - the password manager's accessibility becomes conditional rather than absolute.
Security professionals have long advised that critical tools like password managers should be evaluated on their own merits and maintained independently of other services. The principle is straightforward: the more a security tool's availability depends on external factors outside the user's control, the less reliably it can perform its function. Users who built their credential hygiene around ExpressKeys now face a decision they were not originally told they would need to make.
What Affected Users Should Consider
For anyone currently relying on ExpressKeys, the practical priority is to assess exposure before a subscription lapses rather than after. Most dedicated password managers - including several with free tiers - support credential export and import, meaning a transition is technically feasible before access becomes restricted.
The more instructive lesson is forward-looking. Before adopting any password manager that ships as a secondary feature within a broader subscription, it is worth reading the terms carefully to understand what happens to stored data and access rights when the primary subscription ends. A password manager's long-term value depends not just on its features while active, but on the guarantees that govern what users can do with their data if they choose to leave.
