The growing habit of using weak, simple passwords — or reusing the same password across multiple online accounts — is significantly increasing the risk of cyberattacks. As digital threats continue to evolve, password managers have emerged as an essential cybersecurity tool, capable of securely storing and generating complex passwords while enabling users to access them conveniently when needed.
Germany’s Federal Office for Information Security (BSI) recently tested 10 popular password management programmes and found that some require improvement. According to the assessment, three of the tested applications stored passwords in a manner that could theoretically allow the developing companies to access them. This practice increases vulnerability to hacking and highlights the need for additional technical safeguards by software providers.
Nevertheless, the BSI stressed that such shortcomings do not justify abandoning password managers altogether. On the contrary, the risks associated with not using these tools — and continuing to rely on weak or reused passwords — are far greater. Several software developers have already begun addressing the identified flaws or have pledged to implement necessary improvements.
In parallel, the Consumer Protection Centre of North Rhine-Westphalia, in cooperation with the BSI, conducted a comprehensive data protection review of 10 password managers, focusing on privacy policies and the data collected during user registration. The findings revealed that around half of the tested programmes demonstrate generally efficient data practices, either by not collecting personal data at all or by limiting collection strictly to what is necessary for their core functionality.
However, some developers also gather usage data, such as the websites for which login credentials are stored and visit frequency. In certain cases, this information is analysed to improve services. Only a small number of companies were found to exploit data for marketing purposes or share it with advertising partners.
Privacy Policies and Data Protection
Experts advise users to carefully review privacy policies when selecting a password manager to ensure that no unnecessary data is collected or shared with third parties. If passwords are stored on a provider’s cloud servers, users should also verify where the data is hosted and the level of protection applied. Such details are typically available on the developer’s website, within the terms and conditions, or in the privacy policy.
Cloud Storage Considerations
Cloud-based storage has become a standard feature in most password managers, as it allows users to synchronise their data seamlessly across multiple devices. Alternatively, some password managers operate exclusively on a single device. While this approach offers enhanced privacy by keeping all data locally, it limits cross-device access unless compatible software is installed and databases are manually synchronised on a regular basis.
Security specialists further recommend researching any password manager before installation to confirm that it has not been involved in previous security breaches. If a service has suffered serious incidents, switching to a more secure alternative may be advisable.
The Rise of Passkeys
Users are also encouraged to explore passkeys, an increasingly popular alternative to traditional passwords. Passkeys enable password-free logins using encrypted key pairs and are considered highly secure, as they are extremely difficult to steal, guess, or forget. Authentication is typically reinforced with biometric verification, such as fingerprint or facial recognition. Many modern password managers now support secure passkey storage.
Five Essential Security Measures
After choosing a password manager, the BSI and consumer protection authorities recommend adopting the following five key practices:
Create a strong master password.
Enable two-factor authentication (2FA).
Activate automatic backups or perform regular manual backups of stored passwords.
Enable automatic locking after periods of inactivity to prevent unauthorised access.
Keep the software updated, installing security patches promptly when released.
Despite their imperfections, experts agree that password managers remain a vital line of defence in an increasingly complex digital threat landscape.
