Overview
- The joint review with Verbraucherzentrale NRW examined ten cross‑platform tools and found that about half follow relatively data‑sparing practices.
- The BSI reports theoretical manufacturer access in Chrome (if no user passphrase is set and with some fields unencrypted), mSecure, and SecureSafe/S‑Trust due to server‑side handling.
- The agency explicitly advises against using PassSecurium’s Free/Standard apps until a version 3.x upgrade is delivered and warns that mSecure’s design falls short of typical expectations.
- No major design flaws were identified for 1Password, KeePassXC, or KeePass2Android, and Firefox is considered acceptable when the “set a primary password” option is enabled with sync or backups.
- Sparkassen will discontinue S‑Trust/SecureSafe by 31 March 2026, and users are urged to use strong master passwords, enable 2FA via TOTP or hardware tokens, maintain backups, set auto‑lock, install updates promptly, and avoid SMS codes.