Digital Security Put to the Test
The FZI examines the conceptual security of password managers
Which password managers really deliver what they promise? The German Federal Office for Information Security (BSI) and the FZI Research Center for Information Technology have put ten popular solutions under the microscope – focusing on genuine technical security rather than marketing promises.
Password managers have become one of the most important tools for improving digital security. They offer convenience and, above all, significantly improve the quality of passwords used in everyday life. Nevertheless, many people still do not use such solutions, often due to uncertainty or a lack of trust, as a previous BSI survey shows. This can lead to people using simple and identical passwords for all their digital accounts for the sake of convenience. The BSI, together with the FZI Research Center for Information Technology as a specialist partner, has therefore examined and evaluated the conceptual security features of ten password managers. The now-published report, IT Security in the Digital Consumer Market: Focus on Password Managers shows that there are significant differences between the password managers tested. It is therefore worth taking a close look when choosing a password manager.
Safety begins at the design stage
The selection of managers tested ranged from browser-based solutions to open-source variants and so-called “white label” products. These are password managers that are not only sold directly by the manufacturer, but also offered by other companies under their own brand.
The evaluation was not based on marketing promises, but on a systematic analysis of the underlying technical concepts. One result of the study is that the assessment of the concepts and the cryptographic mechanisms used requires a high level of technical expertise. Users should therefore base their decision on the results of this and other reputable studies.
What was the approach?
The assessment was based on nearly 60 detailed criteria and the testing of conceptual security against possible attack scenarios. The review included, for example:
- Phishing protection: automatic URL verification to protect against fake websites
- Cryptography: correct application of only established and well-researched mechanisms
- Future-proofing: Protection mechanisms against quantum computer attacks
- Security concept: Access options for the password manager manufacturer
- Compliance: Secure master password requirements and secure update channels
- Transparency: Publication of the concept used by the manufacturer, information on the cryptography used, reports from security investigations
- Protection against insecure passwords: Comparison with leak platforms for quick identification of compromised accounts
For more information about our security research and cooperation opportunities, please visit our research focus Safety, Security and Law.
About the FZI
The FZI Research Center for Information Technology, headquartered in Karlsruhe with a branch office in Berlin, is a non-profit institution dedicated to research in information technology applications and technology transfer. It delivers the latest scientific findings in information technology to companies and public institutions. It qualifies individuals for academic and business careers, as well as for the leap into self-employment. Supervised by professors from various faculties, the research groups at the FZI develop interdisciplinary concepts, software, hardware, and system solutions for their clients and implement the solutions found as prototypes. The FZI House of Living Labs offers a distinctive research environment for applied research. The FZI is an innovation partner of the Karlsruhe Institute of Technology (KIT) and a strategic partner of the German Informatics Society (GI).