The Problem with Passwords
Anyone who uses the internet regularly today has an average of more than 50 password-protected accounts — that was the finding of a survey by the Verbraucherzentrale NRW among 1,203 participants conducted between August and September 2025. Email, banking, streaming, shopping, social networks, government portals — everywhere requires separate login credentials.
The theoretical security ideal is well known: a unique, long, random password for every service. In practice, this runs into one simple barrier: human memory.
The risk is concrete: anyone who uses the same password for multiple services hands attackers access to everything after a single successful breach. This technique is called Credential StuffingCredential StuffingAn attack in which stolen login credentials (email + password) are automatically tried at thousands of other services — because many people use the same password everywhere. and is, according to HPI security expert Prof. Christian Dörr, one of the most common attack vectors of all: "Once a service has been hacked and the credentials are out in the open — which has happened billions of times — criminals try those stolen credentials everywhere."
The BSI identifies compromised, weak and reused passwords as one of the most common entry points in cyber attacks. The problem is not malice — it is simple convenience. Anyone expected to remember 50 different strong passwords will eventually fall back on "123456".
What is a Password Manager?
A password manager is a programme that stores and manages all your login credentials in one encrypted location. Instead of 50 different passwords, you only need to remember one: the master passwordMaster PasswordThe only password you need to remember. It decrypts the entire database. If it is lost, all stored credentials may become inaccessible in the worst case..
The manager then takes care of everything else: it generates a unique, random password for every new account — long, complex, with no pattern. When you log in to a website, it fills in the fields automatically.
Store: All login credentials (username, password, website) are saved in an encrypted database.
Generate: When creating a new account, the manager suggests a secure random password — you don't need to think one up yourself.
Fill in: On known websites, the manager recognises the login fields and fills them in automatically.
Warn: Many managers compare your passwords against known data breaches and alert you if one has been compromised.
More than passwords: Most managers can also store credit cards, debit cards, IBANs, ID numbers, insurance numbers and other sensitive data in encrypted form — and fill them in automatically during online purchases. Everything in one place, with the same strong protection.
How Does it Work Technically?
The technology behind it is not difficult to understand, even without an IT degree. The core principle: your passwords are transformed into unreadable data using a strong encryption method — and can only be made readable again with the correct master password.
AES-256 — the industry standard
Good password managers encrypt the entire database with AES-256AES-256Advanced Encryption Standard with a 256-bit key. Considered practically unbreakable with current hardware. Also used by governments and militaries for classified data.. This is the same standard used by governments and military agencies for their classified data. Without the master password, the encrypted database is worthless data — even to the provider themselves.
Zero-Knowledge — the provider knows nothing
Reputable password managers operate on the so-called zero-knowledge principleZero-KnowledgeThe provider stores your data but cannot read it — because encryption takes place on your device before any data reaches the server. Even in the event of a server breach, attackers only obtain encrypted data packets.: encryption takes place on your device — before any data reaches the server. The provider only sees an unreadable block of data. However, this is not the case with all managers — the comparison article looks at this in concrete detail.
The password generator — genuine randomness, not AI
Password managers use so-called CSPRNGsCSPRNGCryptographically Secure Pseudo-Random Number Generator — delivers random numbers that are unpredictable to attackers. The foundation of every secure password generator. for password generation — cryptographically secure random number generators. The result: passwords with no pattern, no repetitions, no recognisable structure. The exact opposite of what AI language models produce.
Local, Cloud or Browser — Three Types
Not all password managers work the same way. There are three basic variants, which differ in convenience and security profile:
The BSI explicitly points out that browsers are complex programmes for which password management is not the top priority. Stored passwords can therefore be read more easily by malware than with a dedicated password manager. Anyone who still uses the browser should set a strong master password and always keep the browser up to date.
More Than Passwords — Cards & Documents
A password manager is not just a password tool. It is an encrypted digital vault — and much more than login data fits inside. Many people don't realise they can also securely store their credit cards, debit cards, IBANs or ID details there.
Credit cards & debit cards: Card number, expiry date, CVV, PIN — stored in encrypted form. Many managers fill in the data automatically during online purchases.
Banking: IBAN, BIC, account numbers — handy when you need them quickly without reaching for your wallet.
Identity documents: Passport and national ID numbers, expiry dates — useful for online forms or travel bookings.
Insurance: Health insurance and policy numbers — instead of searching through your email archive.
Other: Wi-Fi passwords, software licences, tax ID numbers, security question answers, membership numbers.
The advantage over scraps of paper, photos in your camera roll or unencrypted notes: in a password manager, this data is protected with AES-256 — the same standard used by banks and government agencies. Anyone who keeps their card details in the vault no longer needs to type them out or photograph them. How this works in practice in KeePassXC, Proton Pass and 1Password is shown in article 3.
Common Questions & Misconceptions
What the BSI Recommends
The Federal Office for Information Security (BSI) explicitly recommends the use of password managers. On its website, the BSI states: "Yes, as a rule using a password manager is worthwhile. It is in any case better than repeatedly using common passwords."
In the first half of 2025, the BSI, together with the Verbraucherzentrale NRW and the FZI Research Centre for Information Technology, examined ten password managers. The results are available as a joint publication on the BSI website. Despite shortcomings with individual providers, the overall recommendation remains clear: use a password manager — and pay attention to security and data protection. What that means in practice is shown in the comparison article.
Strong master password: At least 20 characters, ideally a passphrase made up of several random words. The master password is the only one you really need to remember.
Enable two-factor authentication: Additional protection for the manager account itself — in case the master password is compromised.
Regular backups: For local managers: save the database in multiple locations. For cloud managers: keep an emergency export of your passwords.
Keep the manager up to date: Updates close security vulnerabilities. This applies especially to browser managers.
A password manager is not a luxury solution for tech enthusiasts — it is the only realistic answer to the problem we all have: too many accounts, too little memory. Anyone who can remember 50 strong, unique passwords doesn't need one. Everyone else does.
The question is not whether, but which one. For maximum control with no cloud subscription: KeePassXC — free, open-source, local, rated as one of the most privacy-friendly options in the BSI/VZ test 2025. For sync between devices: Bitwarden — open-source, free to use, zero-knowledge. Neither requires a monthly fee.
What we strongly advise against: using AI to generate passwords — for the technical reasons outlined above. And: saving passwords in the browser without a master password — that is the kind of convenience that costs you security.