Skip to main content

Hi all,

Hoping to confirm how these two values in Password Safe global policy (“Minimum (days) retention for old password” and “Number of old passwords to retain”) operate when one value has been reached but not the other.

Eg, if "Number of old passwords to retain" is set to 5 and minimum retention in days is set to 30:-

Observation and some doco suggests that if a password is only changed once a month, password history will be kept for 150 days (despite the 30 day retention period) - assumedly delaying purging to allow the minimum of 5 old passwords to be retained.

Does this apply in the reverse? Ie, with the same settings, if a password is changed daily, will Password Safe retain 30 old passwords so as to satisfy the 30 day minimum retention?

Can anyone confirm?

Thanks!

Hi ​@Kbee,

 

To answer your question -- yes, I would expect to see 30 days worth of passwords due to the minimum retention period of 30 days. 

 

It helps to consider that these purge conditions are inclusive. We’ll keep at minimum the current password + the “Number of old passwords to retain” (max 30) and delete all other passwords that are older than the “Minimum retention for old password” (max 360).

 

So, looking at your scenarios, this is how I understand it:

Rotation frequency Minimum retention for old password (max 360) Number of old passwords to retain (max 30) Day's worth of passwords saved
Yearly (365 days) 30 days 5 0*
Monthly (30 days) 30 days 5 150
Daily (1 day) 30 days 5 30

 

* If you’re rotating on a period longer than a year, then it is possible there won’t be any password history, as the yearly rotation (once per 365 days) exceeds the maximum retention period (360). In this scenario, you might only have the current password with no historical passwords.


Reply