Viewing password history for an account

Depending on the administrative rights and permissions granted to your account, you can view the password history and the specific passwords that have been used for accounts that are stored in the Privileged Access Service. For example, if you are a member of a role with Privilege Service Power User rights but have not been granted the Checkout permission, you can view the list of password changes that have been recorded in the Privileged Access Service but not display the password strings that have been used. If you are using an account that includes the Checkout permission, however, you can use the password history to recover a previously‑used password for an account, then use that password, if needed, to access a system.

The password history lists all password change events for an account, regardless of whether they are caused by automatic password rotation, by checking in a managed password, or by manually updating the password for an unmanaged account. Each time a password is retired, the password history is updated with a new event that records the password that has been retired.

To view the password history for an account:

  1. In the Admin Portal, click Resources, then click Accounts to display the list of accounts.
  2. Click Local Accounts, Domain Accounts, or Database Accounts to select the type of account for which you want to view password history.
  3. Select the specific account for which you want to review password history.
  4. From the account details, click Password History.

    The password history lists the date and time of each password change event and the user who checked the password in, causing the old password to be replaced with a new password. If the password checkout period expired or the password was changed automatically because of a password rotation policy, the Retired by column displays SYSTEM$ to indicate the password change was initiated internally by the Privileged Access Service.

  5. Select the password change event in which you are interested, then select View Password from the Actions menu.

    Note that this action is only available if you have Checkout permission for the account and system combination you are viewing.

    Click Show Password if you want to view the password for the selected account as plain text or click Copy Password to copy the password without viewing it.

  6. The checkout is recorded as recent activity in the dashboard and in the list of system activity.

  7. Click Close.

By default, the Privileged Access Service automatically removes the oldest retired passwords from the password history after 365 days. You can use system-specific policies to change the interval at which the Privileged Access Service automatically removes retired passwords or to prevent the Privileged Access Service from automatically removing any retired passwords. For more information about setting the system policies for password cleanup, see Enabling periodic password history cleanup.