A yellow note is stuck to the monitor, a worn list sits in the wallet, and for years the same password has done duty for email, online shop and bank. That is what passwords look like in many households - and it is understandable, because no one can remember dozens of complicated codes. Yet this is exactly where criminals come in. According to the Hasso-Plattner-Institut, 123456 (Hasso-Plattner-Institut) once again tops the list of the most leaked German passwords in 2025, and according to the BSI cybersecurity monitor only 30.5 percent (BSI) of people use a password manager at all. The tool is simpler than many think: you remember a single master password, and the rest sits safely encrypted in the vault and is filled in automatically. This guide explains calmly why written-down and reused passwords are risky, how a password manager works, what the BSI and consumer advice centre recommend in their latest study - and how we set up the password manager at your home.
Key takeaways
- Reused passwords are the real risk: if one service is hacked, criminals automatically try the same credentials everywhere - a single breach then opens many doors.
- A password manager only asks for one strong master password. It generates, stores and fills in all other passwords automatically - long, unique and encrypted.
- In 2025 the BSI and the consumer advice centre NRW tested ten password managers and, despite individual shortcomings, clearly recommended using one - the benefits outweigh the risks.
- Moving from a note or the browser store works step by step: choose a manager, set a master password, import existing logins, enable two-factor.
- Extra protection comes from two-factor sign-in and a well-planned emergency access, so relatives are not locked out if the worst happens.
- We set up the password manager on every device, handle the import, enable two-factor and practise using it patiently - including with older customers.
Why sticky notes and reused passwords are risky
The problem is rarely the one weak password, but the habit of using the same code in many places. The BSI cybersecurity monitor shows how common this is: one in eight people (BSI) uses the same password for three or more accounts. If just one of these services is hacked - and that happens constantly - the credentials end up in collections circulating online. Criminals then try these combinations automatically at other services. The security researcher at the Hasso-Plattner-Institut puts it plainly: once credentials are exposed - and that happens millions of times - offenders try to use them everywhere (Hasso-Plattner-Institut).
How easy many passwords are to guess is shown by the Hasso-Plattner-Institut's annual analysis for European Data Protection Day. The top places among the most leaked German passwords in 2025 are dominated by plain number sequences and simple words (Hasso-Plattner-Institut).
- 123456 - undisputed in first place
- 123456789
- 565656
- 12345678
- hallo123
- kaffeetasse
- 1234567
- passwort
- lol123
The note is not the core problem
What a password manager is - and how it works
At its heart, a password manager is a digital, encrypted vault for your credentials. You only need to remember one single, ideally long, master password. With it you unlock the vault - and inside sit all the other passwords, which the program generates anew and uniquely for each service. The data is protected with recognised encryption methods and only unlocked on your own device. When you sign in, the manager enters username and password automatically, so you neither type nor memorise anything.
One master password
A single long master password unlocks the vault. It is the only one you have to remember - the program handles everything else.
Encrypted vault
All credentials are protected with recognised encryption and only unlocked on your own device.
Password generator
At the press of a button, a long, random password is created for each service - one no one can guess and you never have to remember.
Automatic filling
When you sign in, the manager enters username and password itself - no typing, no mix-ups, no note.
On every device
One vault, in sync everywhere: what you save on the laptop is safely available on phone and tablet too.
Two-factor and passkeys
Many managers also store two-factor codes and support passkeys - only 21 percent (BSI) use this modern sign-in so far.
What the BSI and consumer advice centre recommend
In 2025 the BSI and the consumer advice centre NRW jointly examined ten (BSI, consumer advice centre NRW) password managers in detail - including the stores built into common browsers. The result is nuanced: about half of the programs work with minimal data collection (consumer advice centre NRW), yet in three of ten (BSI) the technical design theoretically allowed the manufacturer to access the stored passwords. Even so, the recommendation is clear.
From the BSI's point of view the benefit far outweighs the drawbacks - the risks of not using a password manager are considerably greater than the implementation flaws of individual products.
Many hesitate for fear that a provider could read the passwords: according to the consumer advice centre NRW, about one in four people (consumer advice centre NRW) name exactly this as a reason not to use a password manager. That concern can be addressed by choosing a program with local or end-to-end encrypted storage - which is exactly where we advise on the selection and in the privacy course at home. The key point remains: an average manager protects noticeably better than a reused password kept in your head.
The browser store was tested too
Browser store or a dedicated manager?
The store built into your browser is convenient and far better than typing the same password everywhere. A standalone password manager can do more, though - especially if you use several devices or also want to keep Wi-Fi keys, ID numbers and two-factor codes safe. The overview below sorts out the main differences.
| Feature | Browser store | Dedicated password manager |
|---|---|---|
| Master protection | Often tied to the device login | Your own strong master password |
| Devices | Usually bound to one browser | Laptop, phone and tablet in sync |
| Password generator | Kept simple | Extensive, with length and character rules |
| Secure notes | Barely available | For IDs, codes and Wi-Fi keys |
| Two-factor codes | Rarely integrated | Often stored right alongside |
| Moving your data | Cumbersome | Import and export built in |
From note to vault in five steps
The switch seems bigger than it is. With a structured approach you have the most important accounts sorted in an afternoon - and the rest bit by bit. These five steps have proven their worth.
- Choose a password manager: a program with local or end-to-end encrypted storage and apps for your devices. The BSI and the consumer advice centre name clear criteria for this.
- Set a master password: a long, easy-to-remember phrase - the Hasso-Plattner-Institut advises at least 15 characters (Hasso-Plattner-Institut). You write this one password down once and keep it safe.
- Import existing logins: passwords from the browser store can usually be taken over directly; entries from the note we add together.
- Replace weak and duplicate passwords: the manager shows which codes are reused or too short - swap these for new, unique ones over time.
- Enable two-factor sign-in: for the most important accounts - email, bank, cloud - switch on the second factor so a password alone is not enough.
The move does not have to happen in a single day. It makes sense to start with the most important accounts - email and bank first, because many other logins can be reset via your email inbox. How to secure your photos and documents at the same time is shown in the article Back up phone photos and data properly. And if you are reorganising working from home, the guide Set up an ergonomic home office offers further practical tips.
Extra protection: master password, two-factor and emergency access
A password manager is only as strong as its master password. Instead of a complicated abbreviation, a long, easy-to-remember phrase made of several words works well - easy to keep in mind yet hard to crack. The second building block is two-factor sign-in: it confirms every login via a second device or an app. So far only 40 percent (BSI) of people use this protection, even though it renders an intercepted login worthless. Even newer are passkeys, which work entirely without a password - 21 percent (BSI) already use them.
- Choose a long master password made of several words and use it for nothing else.
- Switch on two-factor sign-in for email, bank and cloud.
- Set up a second route for the second factor so a lost phone does not lock you out.
- Define an emergency access so trusted people can reach important accounts if the worst happens.
- Regularly check which passwords the manager flags as weak or duplicate, and replace them.
Emergency access is part of it
How we set up the password manager for you
Knowledge is one half, clean setup the other. That is exactly what we take care of during a home visit: we choose a suitable password manager with you, install it on laptop, phone and tablet, set up the master password and import your existing credentials from browser and note collection. We then enable two-factor sign-in for the most important accounts and practise using it together on your own device - calmly, without jargon and with as many repetitions as you like.
We take the apprehension out of the topic, especially for older customers. We show step by step how automatic filling works, how to save a new password and how to unlock the vault on a second device. If you want to go deeper, the privacy course at home is the right place; for signing in to your bank safely, the online banking course helps. And because strong password protection is the foundation against fraud, the guide Spotting phishing and fake calls fits well alongside.
We look after the technology throughout your home - whether a password manager on every device, a wallbox for your electric car or an overall secure, data-minimising smart home. No one can promise seamless protection against every conceivable threat, but with a separate password for each service and active two-factor sign-in the risk drops noticeably. Because we come to you by car in the Hildesheim and Leine valley region, much can be done in a single appointment - one personal contact, no call centre. Arrange an appointment without a hold queue.
A password you can actually remember
Sources and studies