Automatic Update of Date Portion (Month & Year) in Passwords
1 vote
Currently, passwords stored in Devolutions can be updated manually or fully rotated. In our environment, we have a specific requirement where only the date portion of a password (month and year) should be automatically updated, while the rest of the password remains unchanged.
Requested Functionality
- Ability to automatically update only the month and year within a password.
- The remaining part of the password should stay static.
- The update should be configurable (e.g., monthly or yearly).
- Ideally, this could be implemented via:
- Password templates with date variables (MM/YYYY or similar), or
- A built-in rule for partial password rotation.
Use Case
We manage multiple service accounts and application credentials where the password format follows a predefined structure, for example:
AppName!MMYY
Example password:
- Current password: FinanceApp!0626
- Next automatic update: FinanceApp!0726
All Comments (5)
Hi cyrillschreiber,
Thank you for sharing this request.
Our password generator is designed around security best practices, and this isn't something we're looking to implement in the short term.
We do understand that real-world environments can come with constraints, and we appreciate you taking the time to describe your use case.
Best regards,
Simon Leroux
Thank you for your response.
I understand the security considerations behind this decision. However, due to constraints in our environment, this functionality would be very helpful for us.
I would appreciate it if you could consider this for a future implementation or as an optional feature. This would not serve as a general guideline, but rather as an optional capability for specific use cases.
I would also appreciate it if you could keep me informed whether this will be implemented or not.
Kind regards,
Cyrill Schreiber
Hello,
I'm curious, if it's just an append at the end to the generated password (this could be an option in the password template), would that be enough? I'm not sure how easy it would be to include the date in an existing pattern.
Regards
David Hervieux
Hi David,
thanks for your question.
An append at the end wouldn’t be enough for us. We need to update only the date part inside a fixed password pattern.
Example:
AppName!MMYY
Only MMYY should change automatically (e.g. monthly), while the rest stays the same.
This could be done with date variables in password templates or a partial rotation rule.
I understand the security concerns, but for our environment this would be a useful optional feature.
Best regards,
Cyrill
Hi cyrillschreiber,
Good news, we've built this capability and it's planned for our next major version, coming in September. It does exactly what you described — the date lives inside your fixed pattern (not just appended at the end), the static part stays exactly as you type it, and only the month/year updates automatically.
You'll create a password template in Pattern mode, for example:
'FinanceApp!'{date:MMyy}
That produces FinanceApp!0626 this month and FinanceApp!0726 next month. The text in single quotes is kept verbatim, and {date:MMyy} inserts the current month and year — you can use any date format you like ({date:yyyy-MM}, {date:MMyyyy}, etc.).
Because password rotation generates the new password from the selected template, you can assign this template to your managed accounts and have the date advance on its own with each scheduled rotation (monthly or yearly), while the rest of the password never changes.
A couple of notes:
- If you ever want a bit of entropy alongside the fixed convention, you can add a random segment, e.g. {random:6}.
- As with any fixed/predictable format, we'd recommend using it only for the specific cases where your environment requires it.
Thanks again for the detailed use case.
Best regards,
David Hervieux
