rivalMar 15
Team KeePassXC

Earlier this year, the German BSI together with the Consumer Advice Centre NRW performed a review of 10 popular password managers. What can we say? We're happy to be one of only few to receive a very positive review without major security concerns. 🥳 We're also mentioned explicitly for being particularly privacy-friendly.

The full report (in German) can be found at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/DVS-Berichte/passwortmanager_sicherheit_datenschutz.html and https://www.verbraucherzentrale.nrw/wissen/digitale-welt/apps-und-software/10-passwortmanager-im-vergleich-113439

Passwortmanager im Test: IT-Sicherheit und Datenschutz im Fokus

Im Rahmen einer Kooperation zwischen der Verbraucherzentrale Nordrhein-Westfalen e. V. (VZ NRW) und dem BSI wurde im ersten Halbjahr 2025 untersucht, wie sicher und datenschutzkonform ausgewählte Passwortmanager sind. Die Veröffentlichung bietet Verbraucherinnen und Verbrauchern eine Orientierung zur sicheren Passwortverwaltung.

Bundesamt für Sicherheit in der Informationstechnik
Dec 9 at 8:49pmWeb
Show threadTeam KeePassXCDec 9
Based on early feedback provided from the BSI (and similar requests in the past), KeePassXC version 2.7.11 (released two weeks ago) changed the default auto-lock setting after inactivity to "on" with a timeout of 15 minutes. Go to Settings -> Security in case you want to restore the previous behaviour.
Show threadAlanDec 9
@keepassxc
Good feedback IMO! Thanks, saves me changing it each time I install :-).
Show threadTeam KeePassXCDec 10
@sourcejedi Funny. We also got exactly the opposite feedback. ^^
Show threadNaborDec 9
@keepassxc Yeah, that was exactly my problem since the release, and I kept wondering why on earth I had to unlock the DB again and again.
I then found the setting and turned it off.
Good solution, but I don't like this.
The DB can remain unlocked as long as I'm working on the device, and when I walk away, I lock the device and the DB is locked.
Show threadDavidDec 10

@nabor @keepassxc Same here, that post 1 week earlier would have been perfect for me, but its still good, thanks!

I get why BSI, high risk people and companies would like this as a default but also how for many people the trade-off is more towards comfort. Additionally I personally would argue that instead of dumping my DB on an unlocked device a malicious actor could also install a keylogger and send everything home on my next unlock. (I admit that dumping the DB doesn't need extra skills and preparation on the other hand.)

Show threadWolfram RöslerDec 10
@keepassxc Good choice. Security over convenience.
Show threadHelga Numberger 🐧Dec 9
@keepassxc Well deserved! Congrats!
Show threadMad AlexDec 9
@keepassxc The review doesn't provide any criteria based on which the password managers were chosen to be reviewed, it only states.
Show threadcrispy caesusDec 10

@madalex @keepassxc
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/DVS-Berichte/passwortmanager.html
They had a list of popular ones and then picked a few out of them at random. Seems insane to me but uh yeah...
Correct me if I didn't read some other section that states more.

I woul have loved to see bitwarden in there as well. Either way I'm happy to see Keepass get the recognition!

IT-Sicherheit auf dem digitalen Verbrauchermarkt: Fokus Passwortmanager

Passwörter begleiten den Alltag von Verbraucherinnen und Verbrauchern – sie sind für die Nutzung zahlreicher Onlinedienste, wie z. B. Onlineshopping, Social Media oder die Nutzung von E-Maildiensten, erforderlich. Eine Möglichkeit der Passwortverwaltung und damit ein wichtiger Beitrag zur Absicherung von Onlineaccounts sind Passwortmanager. Der vorliegende Untersuchungsbericht beschäftigt sich mit der IT-Sicherheit verschiedener Produkte aus dem Segment der Passwortmanager. Nach einer systematischen Marktanalyse wurden zehn Passwortmanager einer Gefährdungsanalyse unterzogen. Diese Publikation enthält einerseits Handlungsempfehlungen für Hersteller und gibt andererseits Verbraucherinnen und Verbrauchern mehr Orientierung und Sicherheit bei der Entscheidung für einen Passwortmanager.

Bundesamt für Sicherheit in der Informationstechnik
Show threadMad AlexDec 10
@crispy_caesus @keepassxc Seems to me the same way, two things made me suspicious - the number 10 of reviewed password managers and the one I'm using is not on the list.
Show threadcrispy caesusDec 10
@madalex yeah quite sad, seems really unprofessional to me.
Show threadrugkDec 11
@crispy_caesus
They likely only had limited funding so a random choice sounds fair me to me.
@madalex
Show threadMad AlexDec 11
@rugk @crispy_caesus Then clearly state that: we couldn't be arsed to pony up enough money, we are only Germany's Federal Office for Security in IT with a budget of 231 million Euros in 2025, so we drew 10 names from a pot.
Show threadrugkDec 11

@madalex @crispy_caesus for an agency I suppose that is not much…

cf.: https://www.bundeshaushalt.de/DE/Bundeshaushalt-digital/bundeshaushalt-digital.html
Bundesrechnungshof gets 200 mio € and one could now argue whether that is of quite equal importance than the agency for cyber security in a country… it's obviously also not their only job to do that thing etc.…

Anyway, if you want more details there, I can only suggest you to raise a #FOI request with the BSI…

Bundeshaushalt digital - Bundeshaushalt -

Bundeshaushalt
Show threadcosmictionDec 9

@keepassxc

They state that "Wenige Anbieter (z.B. 1Password, SecureSafe, Avira) nutzen Daten... zu Marketingzwecken...
1Password ist der einzige unter den geprüften Passwortmanagern, der nur kostenpflichtig nutzbar ist und laut den Datenschutzhinweisen zusätzlich personenbezogene Daten auch für Marketingzwecke nutzt."

Which is interesting, I wonder why 1Password a paid service would use users personal data for marketing purposes.

Show threadClemensDec 9
@cosmiction @keepassxc @1password Any explanation on this?
Show threadrugkDec 11
@clemensprill
Likely written in the privacy policy.
@cosmiction @keepassxc @1password
Show threadClemensDec 11
@rugk @cosmiction @keepassxc @1password Yep, they quote from the privacy policy according to the text above but the question is meant more like "what the fuck is this, 1password"? A serious red flag.
Show threadWolfram RöslerDec 10
@cosmiction @keepassxc The question is not why 1Password do that (the answer is "greed") but why customers accept it.
Show threadgrmonDec 9
@keepassxc aren’t you the one adding ai?
Show threadhackbyte #antifa #friendica 13HB1Dec 9
@grmon @keepassxc lol??
Show threadSerge Matveenko ♻️☮️ ⩜⃝Dec 10
@keepassxc
There's no Bitwarden in the list. One of the few it is.
Show threadThoralf Will 🇺🇦🇹🇼Dec 14

@keepassxc The test is flawed because the password managers where chosen randomly.
It makes no sense to exclude widely used solutions like Bitwarden.

It is great that you good good marks.
Sadly, the results are meaningless if large parts of the competition were excluded.