Another reference to the unlimited password history would be to compare it to the time machine feature present on Apple’s mac computers, where you have a full backup and can come back if there is a problem: Back up your Mac with Time Machine - Apple Support
The cool thing about this is having a copy of everything that was done. This is useful to help prevent password loss. For example, passwords accidentally deleted or by physical(server) or human error. In addition to ensuring the integrity of users’ passwords.
Some initial conclusions from reading all these links and posts
I think all these matters somehow involve an unlimited history of passwords, items, email, notes.
I think it’s seriously important to merge it all into this as a smart history feature. Some believed that unlimited password history is a good feature, but it would have other additional features like changed email history, changed username history, and changed note history.
How these fields are created at vault time. All these features are complementary in my view and essential.
But since the post is about the unlimited password history feature, consider the links or ideas that talk about it.
In order to have an unlimited, reliable and secure password history, it would be necessary to offer the user the following options:
Option to clear password history in full or in part. That way, the user can select to remove all the passwords from the history or just the one that he wants to remove manually.
Option where you can set the amount of passwords to be displayed in the password history. If you think of the password as just a field to be used, filled in, these features I mentioned are the most essential.
I don’t know if these features have been implemented, but for the most part they are interesting and as I said they are good, essential.
Audit: Know the changed passwords. From the first to the last modification.
“Reasoning for this is that many places with strict security use password history as a way to recover an account (or in some instances just verify identity), but using good security practices by having entirely randomized passwords makes this basically impossible. Runescape is one great example, often requiring a previous passwords history, sometimes dating back to the beginning of the account (and often times wanting a list of all passwords you have).”
Backup: With unlimited password history, we have a complete backup of everything we’ve done or changed, so it’s easy to go back to the newest or oldest version of the password, whether for auditing or security purposes.
Another reference to the unlimited password history would be to compare it to the time machine feature present on Apple’s mac computers, where you have a full backup and can come back if there is a problem. 1. The cool thing about this is having a copy of everything that was done. This is useful to help prevent password loss. For example, passwords accidentally deleted or by physical(server) or human error. In addition to ensuring the integrity of users’ passwords.
This feature is present in Evernote, where you have a history of what was changed in the note. If it’s something interesting and feasible, password history is also possible. It would be close to the Evernote feature that has a complete history of notes, but instead of notes, passwords. As far as this is possible, it may have additional features such as field history or notes.
We will have the option to define the passwords that will be displayed, as well as the possibility to manually delete the password history or select everything to be removed. Our user freedom would be guarded.
I’m not here to criticize anyone, I want everyone to gather ideas so that everything is interesting and within possibilities something good, viable and incredible. That way, we will always have something good and satisfying for everyone.
If the user wants to manually delete password history or make a full selection to remove all password history, he needs a confirmation screen to perform this action
This is a great summary here, totally agree with you and thanks for writing this all up!
I also think deleting password history would be critical in this case, especially for organizations that might not want previous passwords to be viewable to people in which the passwords are shared with.
A larger password history would be useful if someone were to update/generate a new password field X times which cleared out the old password.
Though unlikely it could still be useful. I think rather than it being unlimited for everyone, making this available as a policy and allowing the admin to set the limit would be better. Alternatively, making it so you can pull the data via an individualized password history ‘audit’ report or something.
I can’t tell you how many times I’ve been afraid of loosing my current password when I use the password generator to update an account’s password, but the site keeps rejecting the newly generated password (without listing password requirements or indicating what I’m doing wrong - too many characters, unacceptable special characters, etc.)