regular password change

Here’s why a regular password change is nonsense

The average German Internet user has 25 online accounts.

For this article, I counted my accounts—just for fun: I came up with 37 online accounts with associated passwords. Alone as a private user. For corporate applications and various online portals that I use professionally as a marketing manager, there are certainly as many again. I really wonder who is dragging down my average like this …. You probably don’t, or you wouldn’t be reading this blog.

And for each of these accounts I need—you need—credentials, in the vast majority of cases a username and password.

Forgot password

And let’s be honest: Can you remember these access data?—I am happy if I know which user name I have assigned or which e-mail I have entered during registration. Before I switched to our password manager DoubleClue at HWS, this knowledge was extremely relevant for me, because I had to remember my password without technical help. That’s why I had to hit the “forgot password”-button every time—and I mean every time!—I logged into an account. Of course, that can’t be the point of having passwords.

The only exception was the password to my main email address, which I then carelessly kept for several years for logistical reasons.

Carelessly? Considering that the German Federal Office for Information Security (BSI) has still called for all passwords to be changed regularly until 2020, one would have to say yes. For that, I diligently ignored the “change-your-password” day celebrated on February 1. Why not? Chances were very high that after changing the password of this email address, I would not have been able to get into any of my accounts afterward.

At the same time, I don’t think I was careless with this long-standing and trusted password of my email address. Because this was the only one I had invested time in while I created it: long, complex, with special characters, numbers, upper and lower case, no direct reference to my person. The full program.

Changing passwords regularly leads to frustration and tempts to insecure passwords

Frustration due to regular password changes

When I look at my other—at that time—36 passwords (probably a few less), it looked different. It was mostly a relatively similar combination of one word and with a—probably—different ending. I can’t say that exactly, because as I said: I changed my passwords very often. But this did not make them more secure: on the contrary.

My experience that the frequent change of access data leads to an insecure mishmash of easily crackable or then also guessable passwords is proven by various studies. The more passwords we have to remember, the easier they become. After all, who wants to sit frustrated in front of the PC every time because the log-in didn’t work (again)?

In addition, we are usually quite unimaginative when it comes to assigning passwords: after all, we have to and want to remember them. And I’m not talking about the classics 123456, qwerty, Passw0rd, etc., but also about—supposedly—individual passwords: Pet1!, also in the variation Pet2!, etc. The more often we change our passwords—the more thinking power we need to remember them—the more insecure and similar our passwords become. And that ruins the whole approach of protecting our online identity in the best possible way.

That’s why the BSI now advises against changing passwords regularly. Because there are better options for truly secure access data.

Long, complex, and unique access data is better than a regular password change

Complexity as a basis

The most important security measures are strong and unique passwords. For the security, it depends—attention!—on the length of the password: Because the longer a password is, the more time software needs to crack it automatically. Just to give you an order of magnitude: With special characters, a software brute-force attack for an eight-character password takes just under 8 hours. That is one working day. And we all know: That can take a while, but in the end, it’s over quickly.

But it’s not just the length of a password that’s crucial: there’s also the issue with our lack of imagination: coming up with an individual password for 37+ log-ins is quite a challenge. For all those who still want to create their passwords themselves, there are tricks like “Use the first sentence of your favorite book and take the first letters as your password” or “Use three random words and combine special characters in this phrase” if necessary. However, all of this is of limited help with the sheer volume of credentials.

Fortunately, there are various technical solutions for this. At, for example, you can easily generate secure passwords according to current security standards. But how do you remember these complex passwords? I’ll come to that in a moment.

Two-factor authentication: Because two barriers are stronger than one

Two-Factor-Authentication with DoubleClue

For now, it’s worth noting that there’s a simple technical way to make log-ins more secure. Many services, including various social media platforms, PayPal, Google, Windows, etc., now offer so-called two-factor authentication (2-FA). In some cases, 2-FA is even mandatory to use the service. This second login hurdle—for example in the form of an SMS or push approval on the smartphone—makes even the lumpiest log-in more secure. Of course, no one should feel tempted to use 1234 as a password, but two-factor authentication still protects your account even if the password itself has been cracked. With these accesses, it is, therefore, possible again to create memorable and short—but also insecure—passwords.

Password managers are better at remembering passwords than we are


Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Speaking of password remembering. For me, it even starts before that: Exactly what online service do I have an account with? I’m sure if I didn’t have a list of my passwords, I wouldn’t be able to tell you the exact number of active online accounts I have. And I’m not even talking about linking these accounts to the correct credentials. I’m talking about the question: Where exactly am I on the Internet?

That’s why it’s good that technology takes the work off my hands here as well. And NO—no Excel list, no Word document on the desktop—What if my computer gets hacked?—or an analog piece of paper on the desk.

It makes more sense to have a password manager, where I can store access data and organize them thematically. There are various solutions on the market, but it makes sense to use those that can be synchronized across devices. After all, what’s the point of accessing the Deutsche Bahn app, for example, if you need a ticket on the road but the password is on your home PC?

Should we even change our passwords then?

man sits in front of laptop

With our modern tools, changing passwords is virtually unnecessary. Nowadays, the only things you should change regularly are toothbrushes and underpants. And maybe the comforter cover.

However, some situations speak for a timely password change: Because if there is a security-relevant reason, even the most secure password should be changed. This is the case, for example, if access data to an online network has been disclosed, by hacking into the provider’s systems. Or also if there is an overall GDPR-critical incident in this company. This does not necessarily mean that your access data is affected: But better safe than sorry.

Some password managers therefore already have a password health check integrated. This not only shows whether the password is strong and only used once but also whether there has been a data protection incident. There are also ways to check the quality of a password on the Internet. Sites such as Have I Been Pwned also search the (dark)web for exposed credentials and check for you whether your password is affected.

If changing your password regularly isn’t necessary, is the change-your-password tag still useful at all?

Yes—even if the name is certainly no longer correct today: Why don’t we use this day to make ourselves aware that our online identity should be well protected?

Even if we don’t have to change all our passwords right away, we should still question our passwords and accesses. Are there certain accounts that I have not used for a long period? Then I should close them if necessary. After all, an account that I do not own cannot be hacked. What about the health and integrity of the accounts I use? Might I need to take action here?

That’s why you use the change-your-password day to question your passwords. And, if necessary, to consider where and how you can store your passwords securely.

Identity Protection Software DoubleClue extended with automated workflow capabilities

With the new version DoubleClue Enterprise Management 2.5, HWS Gruppe focuses on an improved user experience and thus combines the highest security with the best performance.

Neustadt an der Aisch, 08.07.2021 – HWS Gruppe, a medium-sized provider of software development and IT services, announces the release of DoubleClue Enterprise Management (DCEM) 2.5. In addition to a completely redesigned user interface, the latest version of the identity protection solution brings secure and convenient single sign-on to all popular web applications and services and automation in the areas of file management and administration.

HWS Gruppe introduced DoubleClue 2018 as the German IAM solution for a successful digital trust strategy. The high functional scope in the area of identity security meets the requirements of modern companies of all sizes: in addition to multifactor authentication for logging in to different devices and services, DoubleClue brings an IAM with adaptive access policies as well as the central password manager DoubleClue PasswordSafe and the cloud data storage DoubleClue CloudSafe.

DoubleClue MyApplications: Single Sign-On for more efficient workflows

The latest version DCEM 2.5 focuses on improving the user experience as well as workflow management. Whereas IT security software solutions were previously considered an obstacle to workflow automation, single sign-on solutions offer an efficient way to support workflow and productivity management. At the same time, single sign-on protects digital identities during the login process.

“Today, IT security software must be able to do much more than ‘just’ provide security,” comments Marc Pantalone, Business Development Manager at HWS. “Rather, it must be able to support processes and workflows and increase employee productivity. Companies need software whose handling is intuitive and quick to learn. Only if a solution also offers added value in day-to-day work the acceptance for investment and use will increase among the management level as well as the workforce.”

Integration of popular third-party authenticator apps for uninterrupted login processes

DoubleClue MyApplications enables uninterrupted login processes by integrating popular third-party Authenticator apps. Users who already use an Authenticator app for two-factor authentication with PayPal, social media, or other services can integrate it in DoubleClue. The access to the one-time password required for identification is automated in the background after a successful setup in the DoubleClue MyApplications dashboard.

Developed with customers for customers

HWS Gruppe focuses on close customer feedback in the further development of the software solution.

“Only by also involving our customers in the further development of features we can deliver a product that meets the needs of the market without compromise,” adds Emanuel Galea, Senior Director Software Development at HWS. “For example, the key unique selling point of our single sign-on, the integration of third-party authenticator apps, is directly attributable to customer feedback. Since many services already supported two-factor authentication with third-party providers such as Google or Microsoft Authenticator, our customer wanted to continue using them – while benefiting from the convenience of a single sign-on. Therefore, we designed DoubleClue MyApplications so that these solutions could also be included when setting up single sign-on to ensure a fully automated and highly secure sign-on process.”

DoubleClue meets OWASP standards

DCEM 2.5 complies with the latest OWASP standards such as support for Content Security Policy (CSP) and protection against Cross-Site Scripting (XSS). HWS Gruppe thus offers companies an answer to the new challenges resulting from the increasing digitalization of the economy.

Automations simplify administration

In addition to DoubleClue MyApplications, DCEM 2.5 offers further improvements in automating processes for users and administrators. The most decisive innovation is the group-based rights management, which replaces the role-based model. This significantly reduces the administration effort when onboarding new employees and implementing new systems.

The most important new features in DCEM 2.5

  • Single sign-on dashboard DoubleClue MyApplications for all popular web applications in Chrome, Firefox, and Edge
  • Integration of all popular third-party Authenticator apps
  • New automation for document management in DoubleClue CloudSafe
  • Customizable user keys for encryption of confidential files in DoubleClue CloudSafe
  • Simplified administration with group-based permissions and improved dashboards for administrators
  • Support for Content Security Policy (CSP)
  • Modern design for even more intuitive access to the system

The DoubleClue identity protection solution is available on-premises or in the German cloud.

About HWS Informationssysteme GmbH

HWS Gruppe offers its customers comprehensive IT services, software development, and consulting, especially in the areas of IT infrastructure, cloud operations, and identity protection. More than 150 employees from Neustadt an der Aisch (Middle Franconia) and the nearshore delivery center in Malta support both DAX corporations and upper mid-sized companies in holistic IT projects. Thanks to a progressive and demanding service approach, we have been convincing customers as a reliable and close partner for more than 20 years.

Our comprehensive IT security solution “DoubleClue” provides companies worldwide with secure identity and access management as well as a strong multifactor authentication solution.

Learn more about us and our services and software products at &


Michaela Senft
Marketing & Communication Manager, HWS Gruppe

Telefon: +49 (0)151 5351 2501



How well is your company protected against hacking?

Missing access policies, poor password hygiene, and lack of awareness of social engineering: humans are the biggest risk factor for your IT security. It doesn’t have to be. A comprehensive identity protection solution like DoubleClue protects your employee identities and access from misuse – and improves internal workflow in a compliant manner for smooth operations.

Social Engineering: Humans at the Heart of Hackers

Digitization brings with it a major challenge: ensuring that only authorized individuals have access to certain devices, applications, and data. In addition to safeguarding against technical attacks (firewall, VPN clients, and anti-virus software), this also includes a social component.

Because modern hacking attacks have long relied on the biggest weak point in your IT landscape: the human factor. And their negligence in dealing with basic security requirements: passwords that are too short or used multiple times, a lack of awareness of social engineering, or simply too lax settings in the area of identity and access management form the gateway for criminal machinations.

DoubleClue: IT Security for the Human Factor

  • Granular distribution of access rights to employees as well as external resources using comprehensive Identity and Access Management (IAM) including Privileged Access Management (PAM)
  • Multifactor Authentication (MFA) protects employee identities from misuse
  • Centralized password management increases enterprise password security while enabling a pleasant user experience
  • Centralized password and data storage encrypted from both external and internal access

Automate approval processes using digital signatures

DoubleClue offers companies many options for user self-service via the system: autonomous addition of devices and applications, automated password reset without administrator involvement, as well as digital approval of document access and granting of approvals via push messages. This saves time and resources on day-to-day operations.

At the same time, these approval processes are tamper-proof thanks to Public Key Infrastructure (PKI). Thus, push messages generated by DoubleClue comply with the standards of the Digital Signature Act and PSD 2 regulation.

Encrypted data storage

The integrated DoubleClue CloudSafe enables centralized encrypted storage of highly sensitive files on your own servers (on-premises) or in the cloud. This allows device-independent access, which can also be shared with internal and external parties. Furthermore, this advanced type of storage rules out decryption by third parties. Thus, passwords and confidential documents can be stored in DoubleClue without hesitation.

Uninterrupted workflows through reduced password entry

Software that combines IAM, MFA, and password management enables single sign-on (SSO). This means that your employees* only need to log into DoubleClue once to gain uninterrupted access to their applications. This leads to higher employee productivity and satisfaction in your organization.
The innovative DoubleClue Single Sign-On additionally embeds automated log-in to applications that rely on common third-party MFA.

Invest in the passwordless future today

IT security is the foundation of your modern enterprise. At the same time, a future-proof solution must map the future needs of innovative companies today.
Predictions from business experts* indicate that passwords will be replaced by more secure authentication options – today, they remain a reality for the vast majority of applications.

With DoubleClue, which brings the integrated PasswordSafe, you have a state-of-the-art software solution while being prepared for the passwordless future. The innovative range of functions forms the basis for smooth workflows and efficient collaboration in your company. This makes DoubleClue the optimal and secure solution for identity protection.

Learn more about DoubleClue here.


DoubleClue—Version 2.4.2 for Android available

A new version for Android is available for the DoubleClue identity security app, which can be downloaded now in the Google Play Store.

The latest version 2.4.2. comes with a new design that once again increases the user experience. In addition to an improved user interface, it also adds some new features that make the app faster and easier to use.

What’s new in DoubleClue 2.4.2 for Android

New Design

For the new version, we have completely overhauled the design and focused entirely on improving the user experience. We’ve gone for a modern look with much more streamlined layouts that make the app even more intuitive to use.


With the new Autofill feature, you can now conveniently insert your passwords and login credentials directly from your PasswordSafe into apps and homepages (supported from Android 9).


In the new version, we provide a tutorial for new users: This explains the most important functions of the app.

You can also find more about DoubleClue under the Products tab or on the DoubleClue homepage.