Will the Advanced Audit Logs include password history?

I noticed in another forum posting (from late '18 or '19, if I recall correctly) that password history was under consideration for implementation in the advanced audit log feature.

Will this feature be present in the (currently-being-implemented) “Advanced Audit Logs” implementation? It’s a big bonus for our use case.

Thanks,
Ben

Unfortunately, at the moment advanced audit log will not include history of passwords, as passwords are delete when access are dropped.

If you are curious, here is a work in progress document of the functionalities the team has been working on: https://docs.google.com/document/d/1RKC86oSoyyH46DCsMNpFAbI-Qm1QWPwnsz8OXCLogz8/edit?usp=sharing

@googol88 can you explain a bit more what your use case is. Why do you need the password history and how it would be useful for you? For example when do you need to previous versions of passwords and why? That feedback would be very helpful.

Cheers,

1 Like

I use Passbolt for network devices (firewalls, routers). These devices often have the ability to roll back configuration to a specified date. When configuration is rolled back, the password is also reset to the value it historically held.

Because of this, we need to keep past passwords, and we need to know for what given date a password is valid. With the ability to view a password’s history (by everyone who has that secret), we could easily see that e.g. in 2018 the password was changed, and try the old value in the hardware device.

Our current workaround is just to maintain multiple password entries for each device, indicating which dates they’re valid for in the title, e.g. “Router password 2018-04 - 2019-04”. This can be a bit cluttered, and it also means we have to ensure each password is shared when we add a new user.

1 Like

Also, thank you for the quick reply!

1 Like

Thanks for the detailed explanation, it makes sense. So what would be needed is similar to wikipedia pages, where you can revert to a previous version.

Unfortunately it’s not trivial, considering the current design, where the secret is encrypted with the public key of the people who have access, we would need to also share the password history (all previous versions) when we share passwords with new people, creating some over head (more data to encrypt or larger secret, etc.). But we should be able to start to work on this topic once we have the “custom field” feature.

I think that rollback similar to e.g. Wikipedia would be the best implementation of the feature, yes - I can imagine worse/easier implementations that would likely be fine, too.

It looks like Custom Fields are in the backlog, unfortunately. I’ll eagerly await them!

1 Like