When the "Not Recently Used" Password Policy value is set to 1 from an higher value (say it was previously set to a very big number like 80, and then reduced/changed to only 1), it is noticed that ONLY one (1) password history is deleted from the 'CREDENTIAL' table. This is incorrect if an user has more passwords in history because of a previous setting of the "Not Recently Used" Password Policy value (for example from 80 to 1).

This can cause am high latency issue when there is a password change request for users with such a huge number of old passwords history in the database.

For example, it took about 8 seconds in some RH-SSO environment where an user with an old passwords history count of 80 tried change its password, even though the "Not Recently Used" Password Policy value is now set to 1 in such RH-SSO environment (but was set to 80 before).

The code in RH-SSO/Keycloak is buggy here [1]. In the case of "Not Recently Used = 1", it doesn't delete the old passwords (as inherited from a previous setting with 80), but just one password is removed and one added, so it remains with the same 80 records in the 'CREDENTIAL' table.

This sounds an regression issue caused by the KEYCLOAK-4095 bug fix [2] and its PR[3].

[1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/credential/PasswordCredentialProvider.java#L114
[2] https://issues.jboss.org/browse/KEYCLOAK-4095
[3] https://github.com/keycloak/keycloak/pull/3658