Assuming your VPN is trustworthy (which you can’t be sure of with a free VPN), the answer is encryption. Whenever you use a VPN, the security that it offers builds on top of the security that’s already built into secure websites.
Let’s take an example.
When you visit Bank of America’s website, you’ll see a green padlock icon in the URL bar. This shows that you’re connected using HTTPS, and thus the sensitive information you transmit — even without a VPN — is secured by encryption. Only your machine and Bank of America’s servers can read what’s sent.
If someone intercepted the data during transmission, they wouldn’t be able to read it. They might know know that you visited Bank of America’s site, but they couldn’t read the data itself that you sent.
What happens when we introduce a VPN into the equation?
Say you’re on a VPN connection when you log in to Bank of America. The sensitive information you send to the website is still encrypted before it gets sent to the VPN server, and it only gets decrypted when it reaches Bank of America’s server. Even though your bank login passes through the VPN server, the VPN server can’t read it.
The bottom line is that your passwords aren’t ever sent through the VPN — only an encrypted hash of them.
There’s only one way that a VPN provider could steal your login details: by setting themselves up as a man-in-the-middle attack. Theoretically, installing VPN software could allow a company to set up their own certificate as a trusted authority on your computer. This would fool your browser into thinking that insecure sites are actually safe.
With a reputable VPN, however, there’s next to no risk of this.
Have you ever worried about your security when using a VPN? If you don’t use a VPN, why aren’t you using one yet? Tell us what you think in the comments below!