Security & Compliance

We had ourselves re-tested: heylogin against the criteria of the BSI password manager test

Dr. Dominik Schrmann
Jul 9, 2026
We had the FZI re-test heylogin against the exact criteria of the BSI password manager study, and here's how we did, what we improved, and the full report to read yourself.

In December 2025, a test appeared that drew attention across the password manager industry: Germany's Federal Office for Information Security (BSI) and the consumer advice center Verbraucherzentrale NRW jointly examined ten password managers, with the technical assessment carried out by the FZI Research Center for Information Technology. The question was how secure and how privacy-friendly these programs really are.

heylogin was not among them.

We did not want to leave it at that. A test you did not take part in says nothing about your own product, and "just trust us" is the worst possible answer for a password manager. So we commissioned the FZI to re-test heylogin against exactly the same test scheme that was applied in the BSI study. Same criteria, same assessor, same standard.

This article explains what the test was about, how heylogin performed, and what we improved based on the results. We are publishing the full report alongside it, so you can form your own picture.

What was the test actually about?

The BSI test hit a sore point. In an accompanying survey by Verbraucherzentrale NRW with over 1,200 participants, it turned out that the biggest hurdle with password managers is not usability, but trust. The most frequently cited reasons why people do not use a password manager:

  • the fear that stored passwords could be stolen,
  • the fear of losing access to one's own passwords,
  • and the concern that the provider itself could see the stored passwords.

Around one in four people who do not use a password manager cited concern about provider access. These three fears are a good yardstick for assessing a password manager. So let us look at how heylogin fares on exactly these points.

The result first

In its final report, the FZI reaches a clear verdict:

"Overall, no fundamental concerns emerged during the investigation that would speak against using heylogin."

That is the core statement. But a positive conclusion alone is boring and not very meaningful. What is more interesting is where heylogin sets itself apart from the field, and which points of criticism the test found. We go through both honestly here.

The results in direct comparison

The following table takes the technical overview from the publication by the BSI and Verbraucherzentrale NRW and places heylogin (first column) right next to it. All figures for heylogin come from the FZI final report; the other values come from the original BSI study. All figures relate to the product version at the time of the respective investigation and may have changed through later updates.

Criterion heylogin 1Password Avira Password Manager Chrome Password Manager Keepass2 Android KeePassXC Mozilla Firefox Password Manager mSecure Password Manager PassSecurium SecureSafe Password Manager S-Trust Password Manager
Use of a master password in the default configuration No 3 Yes Yes Yes Yes No 2 Yes Yes Yes Yes Yes
Recovery option if the master password is lost Yes Yes No 4 No 5 No No Yes No Yes Yes Yes
Can be protected with a second factor Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Supports management of second factors 6 Yes Yes Yes No Yes Yes No Yes Yes No No
Automatic clearing of the clipboard No Yes 7 Yes No Yes Yes No Yes 7 No Yes Yes
Automatic lock after timeout in the default configuration Yes Yes Yes Yes No No Yes Yes Yes Yes Yes
Cloud synchronization 8 Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes
Check against leaks Yes Yes Yes Yes No Yes Yes No Yes No No
Export of passwords Yes No No Yes Yes Yes Yes No Yes Yes Yes
The entire content is encrypted. Yes Yes No No Yes Yes No No No No No
After a change of the master password, the entire content is re-encrypted Yes 9 No No No Yes Yes No No No No No
The manufacturer can access the data. 10 No No No Yes No No No Yes Yes Not assessable Not assessable
Only secure, correctly configured cryptographic algorithms are used. 11 Yes, with minor deviations Yes, with minor deviations Unknown 12 Unknown, uses operating system functions Yes, with minor deviations Yes, with minor deviations Yes, with minor deviations Unknown, at least minor deviations No No No

This table is a copy of the results of the BSI study, extended with the results for heylogin. All figures come from the FZI final report and the BSI study and relate to the product version at the time of the respective investigation.

2
Instead of the master password, Windows authentication is used, which is comparable in this context.
3
heylogin uses a connected smartphone for unlocking instead of a master password.
4
The existing recovery option via biometrics should be disabled for security reasons.
5
Users should set their own passphrase; a recovery option is then no longer available.
6
Management of additional authentication factors for 2FA with other services.
7
Handled by the operating system on current Android versions.
8
Can stored data be synchronized via an easily activated function with a cloud operated by the manufacturer or a third party?
9
Re-encryption takes place as soon as a push authenticator has been removed and a change is made to the logins.
10
The entries relate to the default configuration with synchronization enabled.
11
In the sense of BSI TR-02102-1.
12
Some information could not be obtained within the scope of the test depth.

In the following sections, we put the most important of these rows into context. A concise summary of the results is also available in our security update on the BSI password manager test.

Three points where heylogin stands out

1. Can the provider see my passwords?

This is the concern that, according to the survey, keeps a quarter of people from using a password manager. And it is justified: the BSI's technical investigation showed that with several of the tested products, the provider can at least theoretically access the stored passwords.

For heylogin, the FZI confirms: the manufacturer cannot access the stored data. This is due to our architecture. heylogin uses no master password, but the security chip in your smartphone. Your passwords are end-to-end encrypted, and the keys for this reside exclusively on your devices, never with us. To us as the provider, your passwords are a black box.

2. Is everything really encrypted?

You might assume that every password manager encrypts the entire content. The test shows: that is not the case. With many of the products examined, the entire content is in fact not encrypted. heylogin belongs to the small group for which the FZI rated this point "yes".

3. What happens after a security incident?

This is the technically most interesting finding. Imagine an attacker gains one-time access to your encrypted data and the matching key. With most password managers, every password you store afterwards is then compromised as soon as a copy of your vault is stolen again, because the key stays the same.

heylogin does this differently. We automatically re-encrypt your data after a change of keys, for example when a login device is removed. The technical term for this is post-compromise security. The effect: passwords you create anew after an incident remain protected, even if the old keys have fallen into the wrong hands.

In the FZI comparison table, exactly two of eleven products meet this point: KeePassXC and heylogin. And here is the difference: KeePassXC is a local password manager, where re-encryption is technically simple. For a cloud-based manager that synchronizes your passwords across multiple devices, this is considerably more demanding. heylogin is therefore the only cloud password manager tested that offers post-compromise security. If you would like to read the details, you will find them in our Security Whitepaper in the section "Post-Compromise Security".

What we improved based on the test

An independent test is only worth as much as what you make of it. The report named a number of points, and we worked on them in several technical discussions with the FZI. This is what we have implemented since then:

Password quality now also in the private plan

The report suggested assessing stored passwords for their quality. This feature, which we already offered for organizations, we have now introduced for private accounts as well. heylogin shows for each stored password whether it meets the recommendations.

The criteria are based on the BSI factsheet "Secure Passwords" and on NIST SP 800-63B. Since heylogin generates the passwords itself, with at least 16 characters and all four character types they are considerably stronger than the minimum these standards call for. This is complemented by an automatic check against known data leaks.

Shorter lock times

The test criticized that heylogin locks automatically only rather late in the default setting. We removed the longest option ("1 day"). The new maximum and default value is now 8 hours.

Important to understand: this time only runs during inactivity. Any action in the browser, scrolling, typing, switching a tab, resets the timer. The lock therefore only takes effect when a device is genuinely left unattended, not in the middle of work. A shorter value thus brings more security without disrupting everyday use.

Protection against screenshots

On Android, heylogin now prevents screenshots, including while a password is displayed in plain text. On iOS, the absence of a corresponding interface means there is no comparable risk.

Modernized encryption library

A more technical point: the report pointed out that a software library we use (TweetNaCl) had not received an update for some time. We replaced it with the actively maintained library "noble". This reduces the risk of so-called supply-chain attacks, in which attackers try to smuggle in malicious code via outdated building blocks. Details are in our Security Whitepaper, section 6.1.

In addition, over the course of 2027 we are working on publicly available SBOMs (a kind of parts list of all software components used), as part of our preparation for the European Cyber Resilience Act.

Two points we deliberately did not change

Honesty also means talking about the things you did not implement, and explaining why.

The clipboard on Android

The report notes that on Android, heylogin does not clear the clipboard itself when you copy a password manually. That is true, but the operating system handles it here: from Android 13 onwards, Android automatically clears the clipboard after a short time. The prerequisite is an Android version that still receives security updates, which is the basic requirement for a secure device anyway. The FZI itself refers to this mechanism in its comparison table.

Domain matching

This is the only point the FZI highlights as a central test finding, and it deserves an explanation. It concerns when heylogin suggests a stored login on a website.

heylogin also suggests a login on related subdomains. An example: if you have saved a login for dash.example.com, it is also suggested on auth.dash.example.com. The same applies across related domains, such as amazon.com and amazon.de. This is built deliberately, because it is a trade-off between security and usability.

Very strict matching would break all of these everyday cases. Users would then have to look up their passwords manually and copy them, and it is precisely this manual copying that is a security risk in its own right. What heylogin does prevent: the classic phishing trick of attaching the real domain as a prefix to a foreign address (example.com.evil.de) leads to no suggestion. And a login saved for a subdomain is not passed up to the parent domain.

That this is a fundamental design trade-off and not a heylogin-specific shortcoming is shown by a look at the BSI report itself: the FZI made the same finding there for 1Password, one of the most established password managers of all, with the same conclusion that no fundamental concerns speak against its use. How our matching works in detail is documented in our Website Matching help article.

Our understanding of security

For us, security does not mean having no points of criticism. It means having yourself independently assessed, speaking openly about the results, and explaining trade-offs in a comprehensible way. That is precisely why we are publishing not only this article, but the full documents. The FZI report and the BSI study are available in German only:

The three fears from the beginning, theft, loss of access, and provider access, are to be taken seriously. A good password manager should have a convincing answer to all three. We are convinced that heylogin does, and the FZI's test bears this out. But you do not have to take our word for it: read the report.