KeyNanny should keep old passwords for rollback/troubleshooting (password versioning)

[aleibl]

When replacing a password, KeyNanny should keep the old password.

Suggested implementation:

• Rename the old password blob, appending the timestamp of the change.
• Move old blob to a subdirectory.
• Keep all old password blobs (users can rm them if they want).

No automated housekeeping is required because file size is small. Users can set up their own housekeeping (e.g. using cron) and delete older files if necessary.