The VPN client will store the user-name though. So I was wondering whether the user-name is encrypted, if so I could use "1" for the password and have the random 8 character string as the user-name. I believe that the loss of email from a stolen phone is a much greater concern than the loss of a VPN password, among other things the VPN password can be trivially changed but the IMAP mail that is cached in the phone is lost to the attacker.
http://en.wikipedia.org/wiki/Pptp#Security_of_the_PPTP_protocol
Wikipedia says that the security of PPTP is weak. This isn't even including the case that any system which only has a user-name and password supplied by the client and no stored authentication token stored by either side (EG like the ~/.ssh/known_hosts) is going to lose in some way if the hostile party can proxy the protocol.
Well PPTP is more or less just a wrapper around PPP, so it's roughly as secure as that but the features supported depend on the implementation. As you imply, if you don't use peer authentication in some form or another (eg PAP on the client or certificate exchange), how can you be sure that you are connecting to your network and not my man-in-the-middle network? What services are you running behind the VPN? If they are all SSL or TLS based and you are just using the VPN to do routing and not security then you are probably okay as long as the correct identification is done there. It's surprising how often PPTP is still used these days. Windows has supported IPSEC+L2TP for (nearly?) a decade which provides a highly secure link, and all the NAT hurdles were solved for at least the last 5 years, but people still insist on using PPTP, even though that's almost as tricky to NAT. James James