Overview
- The BSI examined 10 widely used password managers across major platforms, reported notable design and privacy gaps, and said most vendors have pledged or begun fixes.
- Chrome, mSecure and PassSecurium can theoretically permit provider access to stored secrets, increasing attack surface compared with end‑to‑end approaches.
- The authority advises against PassSecurium’s Free/Standard Android 1.1.63 and iOS 2.1.2 until a version 3.x master upgrade is released.
- Possible provider access could not be ruled out for SecureSafe and Sparkassen’s S‑Trust, and Sparkassen plans to discontinue S‑Trust on 31 March 2026.
- Only 1Password, KeePassXC and KeePass2Android encrypt all stored fields; the privacy review found mixed data practices, and users are urged to enable 2FA/TOTP, set auto‑lock, clear clipboards automatically and keep backups.