Zum Inhalt springen
Home visits in the Nordstemmen area
Sicherheit

Password Managers: End Your Sticky-Note Chaos

Password manager setup: why sticky notes and reused passwords are risky, how the encrypted vault works and what the BSI and consumer tests really recommend.

12 min read Passwort-ManagerSicherheitBSIZwei-Faktor

A yellow note is stuck to the monitor, a worn list sits in the wallet, and for years the same password has done duty for email, online shop and bank. That is what passwords look like in many households - and it is understandable, because no one can remember dozens of complicated codes. Yet this is exactly where criminals come in. According to the Hasso-Plattner-Institut, 123456 (Hasso-Plattner-Institut) once again tops the list of the most leaked German passwords in 2025, and according to the BSI cybersecurity monitor only 30.5 percent (BSI) of people use a password manager at all. The tool is simpler than many think: you remember a single master password, and the rest sits safely encrypted in the vault and is filled in automatically. This guide explains calmly why written-down and reused passwords are risky, how a password manager works, what the BSI and consumer advice centre recommend in their latest study - and how we set up the password manager at your home.

Set up a password manager - end the sticky notesOne master password, an encrypted vault, autofill and two-factor on every deviceBefore: loose notes123456most leaked - rank 1 (HPI)hallo123rank 5 of the leaks (HPI)passwortrank 8 of the leaks (HPI)The same password everywhere:one data breach hits every accountOne vault, one keyRemember 1 master passwordit opens the whole vaultstored encrypted (AES)password generator includedOn every device: autofillLoginOne account - in sync onlaptop, phone and tabletsign in via autofill, no typing30.5%use a password manager(BSI)46%use strong passwords(BSI)40%use two-factor(BSI)10tested in the 2025 study(BSI/VZ NRW)Remember one master password - the vault handles the restWe set up your password manager at home - in the Hildesheim and Leine valley regionmaster password | encrypted vault | autofill | two-factor | passkey | browser import | emergency access | privacy course

Key takeaways

  • Reused passwords are the real risk: if one service is hacked, criminals automatically try the same credentials everywhere - a single breach then opens many doors.
  • A password manager only asks for one strong master password. It generates, stores and fills in all other passwords automatically - long, unique and encrypted.
  • In 2025 the BSI and the consumer advice centre NRW tested ten password managers and, despite individual shortcomings, clearly recommended using one - the benefits outweigh the risks.
  • Moving from a note or the browser store works step by step: choose a manager, set a master password, import existing logins, enable two-factor.
  • Extra protection comes from two-factor sign-in and a well-planned emergency access, so relatives are not locked out if the worst happens.
  • We set up the password manager on every device, handle the import, enable two-factor and practise using it patiently - including with older customers.

Why sticky notes and reused passwords are risky

The problem is rarely the one weak password, but the habit of using the same code in many places. The BSI cybersecurity monitor shows how common this is: one in eight people (BSI) uses the same password for three or more accounts. If just one of these services is hacked - and that happens constantly - the credentials end up in collections circulating online. Criminals then try these combinations automatically at other services. The security researcher at the Hasso-Plattner-Institut puts it plainly: once credentials are exposed - and that happens millions of times - offenders try to use them everywhere (Hasso-Plattner-Institut).

How easy many passwords are to guess is shown by the Hasso-Plattner-Institut's annual analysis for European Data Protection Day. The top places among the most leaked German passwords in 2025 are dominated by plain number sequences and simple words (Hasso-Plattner-Institut).

  1. 123456 - undisputed in first place
  2. 123456789
  3. 565656
  4. 12345678
  5. hallo123
  6. kaffeetasse
  7. 1234567
  8. passwort
  9. lol123

The note is not the core problem

A password on paper is not wrong in principle: the BSI considers a safely kept note - in a drawer, not on the monitor or under the keyboard - perfectly acceptable (BSI). It becomes risky when the same note lies around in the open, the password is reused and no one keeps track any more. It is exactly this problem of scale that a password manager solves.

What a password manager is - and how it works

At its heart, a password manager is a digital, encrypted vault for your credentials. You only need to remember one single, ideally long, master password. With it you unlock the vault - and inside sit all the other passwords, which the program generates anew and uniquely for each service. The data is protected with recognised encryption methods and only unlocked on your own device. When you sign in, the manager enters username and password automatically, so you neither type nor memorise anything.

One master password

A single long master password unlocks the vault. It is the only one you have to remember - the program handles everything else.

Encrypted vault

All credentials are protected with recognised encryption and only unlocked on your own device.

Password generator

At the press of a button, a long, random password is created for each service - one no one can guess and you never have to remember.

Automatic filling

When you sign in, the manager enters username and password itself - no typing, no mix-ups, no note.

On every device

One vault, in sync everywhere: what you save on the laptop is safely available on phone and tablet too.

Two-factor and passkeys

Many managers also store two-factor codes and support passkeys - only 21 percent (BSI) use this modern sign-in so far.

What the BSI and consumer advice centre recommend

In 2025 the BSI and the consumer advice centre NRW jointly examined ten (BSI, consumer advice centre NRW) password managers in detail - including the stores built into common browsers. The result is nuanced: about half of the programs work with minimal data collection (consumer advice centre NRW), yet in three of ten (BSI) the technical design theoretically allowed the manufacturer to access the stored passwords. Even so, the recommendation is clear.

From the BSI's point of view the benefit far outweighs the drawbacks - the risks of not using a password manager are considerably greater than the implementation flaws of individual products.

Federal Office for Information Security (BSI)

Many hesitate for fear that a provider could read the passwords: according to the consumer advice centre NRW, about one in four people (consumer advice centre NRW) name exactly this as a reason not to use a password manager. That concern can be addressed by choosing a program with local or end-to-end encrypted storage - which is exactly where we advise on the selection and in the privacy course at home. The key point remains: an average manager protects noticeably better than a reused password kept in your head.

The browser store was tested too

The password stores built into browsers were part of the review; the Firefox store came through without concerns (consumer advice centre NRW). For getting started, the browser store is better than nothing - but a dedicated password manager offers more: use across devices, secure notes and an independent place for your two-factor codes.

Browser store or a dedicated manager?

The store built into your browser is convenient and far better than typing the same password everywhere. A standalone password manager can do more, though - especially if you use several devices or also want to keep Wi-Fi keys, ID numbers and two-factor codes safe. The overview below sorts out the main differences.

FeatureBrowser storeDedicated password manager
Master protectionOften tied to the device loginYour own strong master password
DevicesUsually bound to one browserLaptop, phone and tablet in sync
Password generatorKept simpleExtensive, with length and character rules
Secure notesBarely availableFor IDs, codes and Wi-Fi keys
Two-factor codesRarely integratedOften stored right alongside
Moving your dataCumbersomeImport and export built in

From note to vault in five steps

The switch seems bigger than it is. With a structured approach you have the most important accounts sorted in an afternoon - and the rest bit by bit. These five steps have proven their worth.

  1. Choose a password manager: a program with local or end-to-end encrypted storage and apps for your devices. The BSI and the consumer advice centre name clear criteria for this.
  2. Set a master password: a long, easy-to-remember phrase - the Hasso-Plattner-Institut advises at least 15 characters (Hasso-Plattner-Institut). You write this one password down once and keep it safe.
  3. Import existing logins: passwords from the browser store can usually be taken over directly; entries from the note we add together.
  4. Replace weak and duplicate passwords: the manager shows which codes are reused or too short - swap these for new, unique ones over time.
  5. Enable two-factor sign-in: for the most important accounts - email, bank, cloud - switch on the second factor so a password alone is not enough.

The move does not have to happen in a single day. It makes sense to start with the most important accounts - email and bank first, because many other logins can be reset via your email inbox. How to secure your photos and documents at the same time is shown in the article Back up phone photos and data properly. And if you are reorganising working from home, the guide Set up an ergonomic home office offers further practical tips.

Extra protection: master password, two-factor and emergency access

A password manager is only as strong as its master password. Instead of a complicated abbreviation, a long, easy-to-remember phrase made of several words works well - easy to keep in mind yet hard to crack. The second building block is two-factor sign-in: it confirms every login via a second device or an app. So far only 40 percent (BSI) of people use this protection, even though it renders an intercepted login worthless. Even newer are passkeys, which work entirely without a password - 21 percent (BSI) already use them.

  • Choose a long master password made of several words and use it for nothing else.
  • Switch on two-factor sign-in for email, bank and cloud.
  • Set up a second route for the second factor so a lost phone does not lock you out.
  • Define an emergency access so trusted people can reach important accounts if the worst happens.
  • Regularly check which passwords the manager flags as weak or duplicate, and replace them.

Emergency access is part of it

What happens to the accounts if something happens to the main user? A stored emergency access or a safely kept master password ensures that trusted people can reach email, bank and contracts if the worst happens. We clarify this question during setup - it matters especially in families and for older people.

How we set up the password manager for you

Knowledge is one half, clean setup the other. That is exactly what we take care of during a home visit: we choose a suitable password manager with you, install it on laptop, phone and tablet, set up the master password and import your existing credentials from browser and note collection. We then enable two-factor sign-in for the most important accounts and practise using it together on your own device - calmly, without jargon and with as many repetitions as you like.

We take the apprehension out of the topic, especially for older customers. We show step by step how automatic filling works, how to save a new password and how to unlock the vault on a second device. If you want to go deeper, the privacy course at home is the right place; for signing in to your bank safely, the online banking course helps. And because strong password protection is the foundation against fraud, the guide Spotting phishing and fake calls fits well alongside.

We look after the technology throughout your home - whether a password manager on every device, a wallbox for your electric car or an overall secure, data-minimising smart home. No one can promise seamless protection against every conceivable threat, but with a separate password for each service and active two-factor sign-in the risk drops noticeably. Because we come to you by car in the Hildesheim and Leine valley region, much can be done in a single appointment - one personal contact, no call centre. Arrange an appointment without a hold queue.

A password you can actually remember

Good password protection takes nothing away from you - it makes everyday life easier. You remember a single master password, and the vault handles the rest: secure codes, automatic filling and the calm feeling that a single data breach will not open all your accounts at once.

Sources and studies

This article is based on data from: the Federal Office for Information Security / BSI (cybersecurity monitor: share of people using a password manager, reuse of passwords, prevalence of strong passwords, two-factor sign-in and passkeys; study of ten password managers together with the consumer advice centre NRW including the recommendation that the benefit outweighs the risks; guidance on safely handling written-down passwords), the consumer advice centre NRW (comparison of ten password managers, data minimisation, concern about provider access, assessment of the browser store) and the Hasso-Plattner-Institut / HPI (annual analysis of the most leaked German passwords, recommendations on password length and uniqueness).