Skip to main content

We are facing a common challenge in password vaulting systems where the password age isn't directly tracked, and the password hash changes even when unrelated attributes are modified. This makes it difficult to determine when the password was last changed.

Problem Summary

  • No dedicated timestamp for password change.
  • Password hash changes even when non-password attributes are modified.
  • You need to detect passwords older than 2 years to raise a security finding.

 

How to solve this in secret safe?

Hi ​@bpkothari , 

Generally, the Password Hash should not change unless the file/secret itself has changed. Can you please provide more details on what type of secret did you see this happen and what attributes were modified that affected the hash? 

Here are some additional details on Secrets Safe Hash - BeyondInsight / Password Safe - How to upload a file or view the HASH of a file in Secrets Safe - Store keys, certificates, and tokens in Secrets Safe 

There is a timestamp located at the bottom of the ‘view details’ page of all secrets that shows the Date Created and Date Modified for the secret. However, it does not currently supports the password history or the password age functionality. 

There is an open feature request for it on our Ideas Portal - T2PSM-I-2439 - Add versioning and history on secret safe secrets in vault. We encourage you to add your votes to this Idea so our product team can prioritize this in our future releases.

Aging Secrets Detection would be a great new feature to request via our Ideas Portal as well - Ideas.beyondtrust.com | BeyondTrust

Please let me know if you have any questions. 

Thank you! 

 


Thanks. The "Created" and "Updated" timestamps in the detail view do not guarantee that the update was specifically for the password field. These timestamps are also updated when other fields—such as Description, URL, or Username—are modified. Therefore, there's no reliable way to determine if the update was due to a password change.

 

Similarly, the stored hash is not exclusive to the password. It changes whenever any field is modified. As a result, we cannot compare hashes to determine whether the password has changed.


We had also submitted idea for versioning and history and had 4-5 meetings with Beyond Trust team but no commitment yet. 


Reply