A client’s cyber insurance renewal asks for evidence of a credential rotation policy. An auditor wants to know when the firewall admin password was last changed and whether it was actually different from the one before it. A technician swears they updated a password last month, but nobody can confirm it — or say what the old value was, in case it’s still in use somewhere else.
Most password vaults can tell you the current password. Very few can tell you what it used to be, who changed it, and when. Weavestream can, because every credential change is written to an immutable version record the moment it happens — no configuration, no opt-in, no separate audit tool.
Every Change Creates a Permanent Record
When a credential is updated in Weavestream — a new password, a renamed record, a different username or URL — the platform doesn’t just overwrite the old value and move on. It first writes a PasswordVersion record capturing the previous state of the credential: the prior name, username, URL, and encrypted secret, along with who made the change and exactly when.
This happens automatically, on every update, for every password in every tenant. There’s no setting to enable it and no retroactive gap where changes went unrecorded because someone forgot to turn a feature on. If a credential has ever been touched in Weavestream, that change is on record.
The version stays tied to the credential it belongs to, so pulling up a password’s history is a matter of opening that record — not searching a separate log or cross-referencing timestamps across systems.
Why “Just Trust the Current Password” Isn’t Good Enough
Most credential management tools are built around a single question: what’s the password right now? That’s the operationally important question day to day, but it’s the wrong question when something has gone sideways.
Consider a few situations that come up regularly in MSP work:
A credential is suspected of being reused. A client’s firewall admin login shows up in a breach notification. Before you can be confident about the blast radius, you need to know whether the current password matches what was in use at the time of the breach — or whether it was rotated since. Without version history, that’s a guess. With it, it’s a lookup.
A client asks when a password was last rotated. Some clients — particularly in regulated industries — expect periodic credential rotation as part of your service agreement. “We rotate quarterly” is a policy. Being able to show the actual rotation dates, pulled directly from the vault, is evidence.
A technician makes an unauthorized or mistaken change. Passwords get edited by the wrong person, or edited correctly but need to be reverted. Knowing exactly what the previous value was — and who changed it — turns a “someone broke something” situation into a five-minute fix with a clear paper trail.
None of these scenarios are edge cases. They’re the kind of thing that happens across a book of dozens of clients on a long enough timeline. The difference is whether you have an answer ready or have to say “we don’t track that.”
Immutable Means Immutable
The important design detail is that version history in Weavestream cannot be deleted — not by a technician, not by an admin, not through the UI or an API call. Once a version record is written, it’s permanent.
This matters because a version history that can be edited or cleared isn’t really an audit trail — it’s just a log that happens to exist until someone has a reason to make it disappear. A spreadsheet “history” tab or a shared document’s revision list can be edited by anyone with write access. Weavestream’s version records are structurally append-only: the application doesn’t expose a delete path for them, full stop.
Archiving a credential doesn’t touch its history either. If a password is soft-archived — because a client offboarded, or the credential is no longer in use — its full version history travels with it and remains intact. Unarchive it later, and the record is exactly as complete as it was before.
The Compliance Angle
For MSPs working with clients who have real security requirements — cyber insurance, SOC 2, Cyber Essentials, HIPAA-adjacent obligations, or just a security-conscious internal IT lead — “how do you prove credentials get rotated” is a question that comes up in vendor security reviews more often than most MSPs expect.
The honest answer for most shops, using most tools, is that they don’t have a good one. Password managers built for individual use don’t retain meaningful history. Spreadsheets and shared documents have no tamper resistance. IT documentation platforms that treat passwords as a bolt-on feature rarely go further than storing the current value.
Weavestream’s version history turns that into a demonstrable control: every credential change, forever, with actor and timestamp, and no way to erase the trail after the fact. Paired with Weavestream’s reveal audit trail — which logs every time a secret is decrypted and viewed — an MSP can answer both halves of the question a security review actually asks: who could see this credential, and what did it look like over time.
How It Fits With the Rest of the Vault
Version history isn’t a standalone feature bolted onto the vault — it’s one layer of a credential security stack that includes:
- AES-256-GCM encryption at rest, with envelope encryption and key rotation support
- HaveIBeenPwned breach checking on every create and update, using k-anonymity so the password itself never leaves your server
- Per-password access controls — reason-to-view prompts, user whitelists, and client portal visibility flags
- Reveal audit trail — a tamper-resistant log of every time a credential is decrypted and displayed
- Version history — immutable before/after snapshots of every change
Each layer answers a different question a security review, an insurer, or your own incident response process might ask. Version history answers the one about change: what did this credential used to be, and when did it stop being that.
Getting Started
There’s nothing to configure. Version history is active by default for every credential in every Weavestream tenant, from the first password you save. If you’re migrating an existing client’s credentials into Weavestream from a spreadsheet or another platform, the version trail starts the moment those credentials land in the vault — which is itself a reasonable argument for making the move sooner rather than later.
Weavestream is free, self-hosted, and open source. Find out more at weavestream.io.