diff --git a/services/Makefile b/services/Makefile
index 2743092..9e7ba76 100644
--- a/services/Makefile
+++ b/services/Makefile
@@ -46,10 +46,10 @@ machine-put-redis.conf:
 	docker-machine scp ./redis.conf selfpass01:redis.conf
 
 machine-put-data:
-	docker-machine scp -r ./data selfpass01:
+	docker-machine scp ./data/appendonly.aof selfpass01:data/
 
 machine-get-data:
-	docker-machine scp -r selfpass01:data ./
+	docker-machine scp selfpass01:data/appendonly.aof ./data/
 
 machine-add-grpc-server-tag:
 	gcloud compute instances add-tags selfpass01 \
diff --git a/services/credentials/service/service.go b/services/credentials/service/service.go
index ea3fae2..6445fc6 100644
--- a/services/credentials/service/service.go
+++ b/services/credentials/service/service.go
@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"time"
 
@@ -64,6 +65,16 @@ func validateCredentialInput(c types.CredentialInput) (err error) {
 		return fmt.Errorf("%s must specify password", types.InvalidArgument)
 	}
 
+	if _, err = base64.StdEncoding.DecodeString(c.Password); err != nil {
+		return fmt.Errorf("%s password must be encrypted and base64 encoded", types.InvalidArgument)
+	}
+
+	if c.OTPSecret != "" {
+		if _, err = base64.StdEncoding.DecodeString(c.OTPSecret); err != nil {
+			return fmt.Errorf("%s otp secret must be encrypted and base64 encoded", types.InvalidArgument)
+		}
+	}
+
 	return err
 }
 
@@ -103,6 +114,12 @@ func (svc Credentials) Update(ctx context.Context, id string, ci types.Credentia
 	c.Username = ci.Username
 	c.Tag = ci.Tag
 
+	if c.ID != id {
+		if err = svc.repo.Delete(ctx, id); err != nil {
+			return output, err
+		}
+	}
+
 	return c, svc.repo.Put(ctx, c)
 }