Back to the blog

Features / Privacy — 2017/06/20

Mullvad's account numbers get longer – and safer

As of today, we are increasing the length of our account numbers to 16 digits. Customers with 12- or 13-digit numbers can continue using the service without taking any action.

Our account numbers help keep your identity private

A Mullvad account can be created without supplying any personal information. Not even an email address is needed. Along with the fact that we keep no activity logs and that we encourage anonymous payments with Bitcoin or cash, this is a fundamental reason why Mullvad is good at keeping your online activity, identity, and location private.

Why can't I choose my own account number?

Having the account number generated for you instead of allowing you to choose it yourself may feel limiting and strange, but this method provides some benefits:

A consistent format limits confusion and errors.
For instance, customers who mail in cash payments often hand write the corresponding account number on paper.

It keeps the accounts more anonymous.
A username that is picked by the user could potentially help in identifying that user. For example, a user might choose the same username that is used on other services, or the language and style of the username may give away their country of origin or cultural background.

It prevents a user from selecting a weak password.
It is a known fact that many people use weak passwords and/or use the same password across multiple services. With a lengthy and random account number, we can ensure that it is long enough to be secure and greatly reduce the risk that it will be used for another service, since that would require the user to copy the hard-to-remember number they got from us and use it elsewhere.

Your account number is, in a sense, both the username and the password at Mullvad. It is both the account's unique token (username) and the secret that authenticates the account toward our service (password). You should keep it just as safe and secret as a password.

Can't someone guess my account number?

A newly created Mullvad account number is a 16-digit decimal in the "1000 0000 0000 0000" to "9999 9999 9999 9999" range. This allows for a total of 8.99 quadrilion possible account numbers. Assuming our customers are actively using 100,000 different accounts with us, one would need to guess on average 45 billion times in order to find a working account. This is practically impossible.

Even the 12- and 13-digit numbers are actually 40 randomized bits and thus amount to 2^40 possible combinations, or 1,099,511,627,776. It would take, on average, 5.5 million tries in order to find a working account. This is still unlikely to happen because of the amount of guesses needed.

We also take countermeasures against trying out many account numbers in a fast sequence, but due to the growing number of customers, it's time to increase the length.

What if someone were to successfully guess my account number?

In short, that person would then be able to use Mullvad VPN for free since an account is allowed to make up to five connections simultaneously.

If you suspect this is happening, contact our support team to change your account number. Doing so will make your old account number invalid and anyone else who has it will not be able to connect with it.

If you're worried that somebody with your account number will be able to eavesdrop on your traffic through the VPN tunnel, don't be! The encryption key is only available on your device.

Apart from this, a stolen account number should have minimal, if any, impact on privacy or otherwise. This is because no personal information is made available by the account number or when you connect to the service. The only details available are the expiry time and which ports are forwarded (if any).

This by itself should not pose an issue, but if someone has also obtained other information about you, it could be sensitive. In the average case it should not be a problem, but for the very paranoid (or for those whose threat model says otherwise), not forwarding any ports is an option.

The most important think you can do to avoid any of the issues above is to keep your account number secret.

Should I update to a longer account number?

You can consider doing so the next time your account expires. Instead of renewing the old one, just create a new account. No rush though. As mentioned above, this is not an issue for most users.

As always, keep your account number in a safe place! But if you lose it, consult our guide on retrieving your account.