I think it would be great to have an option to enable infinite password history, whether that is for the entire account or even just for specific item entries.
Reasoning for this is that many places with strict security use password history as a way to recover an account (or in some instances just verify identity), but using good security practices by having entirely randomized passwords makes this basically impossible.
Runescape is one great example, often requiring a previous passwords history, sometimes dating back to the beginning of the account (and often times wanting a list of all passwords you have).
Not a huge deal but would be a nice to have.
Here’s an example:
Think of someone working in a financial position. Security policies require regular password changes for a financial application or database every 30 days. Legal requirements exist to have the financial data backed up and kept for 7 years. A request comes to restore the financial data for an audit from 6 years, 3 months ago. That person would need to know at least the previous (12*6+3) 75 password changes in order to log back into that restored environment.
I’m not the financial person in the example above but I do have a requirement to track all previously used passwords in the event that a system is restored from a backup for any reason and from any date. Bitwarden currently does not work for me with the current limitation of only tracking the last 5 password changes.
Legal requirements exist to have the financial data backed up and kept for 7 years. A request comes to restore the financial data for an audit from 6 years, 3 months ago. That person would need to know at least the previous (12*6+3) 75 password changes in order to log back into that restored environment.
Wouldn’t they restore all data except for the Login table in that scenario? Then you can login to the restored environment with the current password. I’d find it weird that a system would be designed requiring knowledge of 75 historical passwords.
It’s even weirder since they require you to change password to increase security… then later to used that old password to access backups.
Yeah I’m in agreement here I think. Still it would be nice to have infinite history in the odd situations that it’s needed, such as the aforementioned Runescape account recover type stuff. I mean sure we can just copy and paste the old passwords into the notes section but having it automated would be nicer.
If the audit request is to audit access / permissions to the system, the authentication platform needs to be restored as well.
Typically, restoring old systems for audit purposes, to get old records, to test restoring the entire infrastructure for disaster recovery purposes, etc. are done on isolated networks and intentionally kept away from the live production systems. That means the authentication system (in my case Active Directory) needs to be restored as well.