diff --git a/infrastructure/backup/image/Dockerfile b/infrastructure/backup/image/Dockerfile
index 24e9b47..37aa6df 100644
--- a/infrastructure/backup/image/Dockerfile
+++ b/infrastructure/backup/image/Dockerfile
@@ -5,3 +5,5 @@ ADD resources /tmp/
 RUN /tmp/install.sh
 ADD local/ /usr/local/lib/dda-backup
 RUN init-bb.bb
+ADD resources2 /tmp/
+RUN install -m 0700 -o root -g root /tmp/test-me.bb /usr/local/bin/
diff --git a/infrastructure/backup/image/resources/init-bb.bb b/infrastructure/backup/image/resources/init-bb.bb
index aa09429..af0856c 100755
--- a/infrastructure/backup/image/resources/init-bb.bb
+++ b/infrastructure/backup/image/resources/init-bb.bb
@@ -1,42 +1,3 @@
 #!/usr/bin/env bb
 
-(require '[babashka.tasks :as tasks]
-         '[dda.backup.cred-rot :as cr]
-         '[dda.backup.restic :as rc]
-         '[dda.backup.postgresql :as pg])
-
-(def restic-repo {:password-file "restic-pwd"
-                  :restic-repository "restic-repo"})
-
-(def file-config (merge restic-repo {:backup-path "files"
-                                     :files ["test-backup"]
-                                     :restore-target-directory "test-restore"}))
-
-(def db-config (merge restic-repo {:backup-path "db"
-                                   :pg-db "mydb"
-                                   :pg-user "user"
-                                   :pg-password "password"}))
-
-(def cred-config (merge restic-repo {:new-password-file "new-pw-file"}))
-
-(def dry-run {:dry-run true :debug true})
-
-(defn prepare!
-  []
-  (spit "/tmp/file_password" "file-password")
-  (spit "restic-pwd" "ThePassword")
-  (tasks/shell "mkdir" "-p" "test-backup")
-  (spit "test-backup/file" "I was here")
-  (spit "new-pw-file" "newpassword")
-  (tasks/shell "mkdir" "-p" "test-restore")
-  (pg/create-pg-pass! db-config))
-
-(defn restic-repo-init!
-  []
-  (rc/init! restic-repo))
-
-(prepare!)
-(restic-repo-init!)
-(cr/list-passwords! cred-config)
-(cr/maybe-add-new! cred-config)
-(cr/list-passwords! cred-config)
\ No newline at end of file
+(println "initialized")
diff --git a/infrastructure/backup/image/resources2/test-me.bb b/infrastructure/backup/image/resources2/test-me.bb
new file mode 100755
index 0000000..c00a43a
--- /dev/null
+++ b/infrastructure/backup/image/resources2/test-me.bb
@@ -0,0 +1,44 @@
+#!/usr/bin/env bb
+
+(println "initialized")
+
+(require '[babashka.tasks :as tasks]
+         '[dda.backup.cred-rot :as cr]
+         '[dda.backup.restic :as rc]
+         '[dda.backup.postgresql :as pg])
+
+(def restic-repo {:password-file "restic-pwd"
+                  :restic-repository "restic-repo"})
+
+(def file-config (merge restic-repo {:backup-path "files"
+                                     :files ["test-backup"]
+                                     :restore-target-directory "test-restore"}))
+
+(def db-config (merge restic-repo {:backup-path "db"
+                                   :pg-db "mydb"
+                                   :pg-user "user"
+                                   :pg-password "password"}))
+
+(def cred-config (merge restic-repo {:new-password-file "new-pw-file"}))
+
+(def dry-run {:dry-run true :debug true})
+
+(defn prepare!
+  []
+  (spit "/tmp/file_password" "file-password")
+  (spit "restic-pwd" "ThePassword")
+  (tasks/shell "mkdir" "-p" "test-backup")
+  (spit "test-backup/file" "I was here")
+  (spit "new-pw-file" "newpassword")
+  (tasks/shell "mkdir" "-p" "test-restore")
+  (pg/create-pg-pass! db-config))
+
+(defn restic-repo-init!
+  []
+  (rc/init! restic-repo))
+
+(prepare!)
+(restic-repo-init!)
+(cr/list-passwords! cred-config)
+(cr/maybe-add-new! cred-config)
+(cr/list-passwords! cred-config)
diff --git a/src/dda/backup/cred_rot.clj b/src/dda/backup/cred_rot.clj
index 738b938..1b64370 100644
--- a/src/dda/backup/cred_rot.clj
+++ b/src/dda/backup/cred_rot.clj
@@ -22,8 +22,11 @@
   [config ::cred-rot]
   (let [{:keys [new-password-file valid-from]} (:new-password-config config)]
     (if (not (nil? new-password-file))
-      (let [parsed-passwords (parsed-passwords! config)]
-        (i/execute! (domain/add-password-command config) config)))))
+      (let [parsed-passwords (domain/parse-response (list-passwords! config))]
+        (when (> 0 (compare
+                    (:created (last parsed-passwords))
+                    valid-from))
+          (i/execute! (domain/add-password-command config) config))))))
 
 (defn-spec replace-old-password! nil?
   []
diff --git a/src/dda/backup/cred_rot/domain.clj b/src/dda/backup/cred_rot/domain.clj
index 5bbe2e0..c1b6b64 100644
--- a/src/dda/backup/cred_rot/domain.clj
+++ b/src/dda/backup/cred_rot/domain.clj
@@ -75,4 +75,4 @@
 
 (defn-spec parse-response ::response
   [response string?]
-  (s/conform )(cc/parse-string response #(keyword %)))
+  (sort-by :created (cc/parse-string response #(keyword %))))
diff --git a/test/dda/backup/cred_rot/domain_test.clj b/test/dda/backup/cred_rot/domain_test.clj
index fc58321..c1b1aeb 100644
--- a/test/dda/backup/cred_rot/domain_test.clj
+++ b/test/dda/backup/cred_rot/domain_test.clj
@@ -6,13 +6,24 @@
    [dda.backup.cred-rot.domain :as cut]))
 
 (deftest test-parse-response
-  (is (= [] (cut/parse-response "[
+  (is (= 
+       [{:current true,
+         :id "b67161fb",
+         :userName "root",
+         :hostName "backup-restore-65bd9b6ff5-z69sn",
+         :created "2024-10-18 13:16:54"}
+        {:current false,
+         :id "521e0760",
+         :userName "root",
+         :hostName "backup-restore-65bd9b6ff5-z69sn",
+         :created "2024-11-18 13:08:16"}] 
+       (cut/parse-response "[
   {
     \"current\": false,
     \"id\": \"521e0760\",
     \"userName\": \"root\",
     \"hostName\": \"backup-restore-65bd9b6ff5-z69sn\",
-    \"created\": \"2024-10-18 13:08:16\"
+    \"created\": \"2024-11-18 13:08:16\"
   },
   {
     \"current\": true,