A reason for password change could be to increase security by not having that salted hash stored (or password) anymore on that service.
On the UI, the service may try and make me not use my immediately previous password but any of the older passwords should be OK.
@alvarezp @emanuel @alcinnz Password history is actually kind of important these days. For that matter, I think it’d be good to check a proposed password against a badlist, populated by username/compromised passwords, and reject already revealed passwords associated with the user ID. Passwords should be changed when compromised, not as a time-based event.
Same with the password history technique: it is perceived as a need and it is perceived as important but it does not do any more good than the complexity, risks and inconveniences it adds.
@SuperFloppies @emanuel @alcinnz I also found this question in Stack Exchange: https://security.stackexchange.com/questions/85074/is-it-safe-to-store-a-password-hash-history-for-preventing-user-to-keep-same-pas
@alvarezp @emanuel @alcinnz Reusing old passwords represents a real risk. How many people do you know that check to see if the password they use is known to the Internet, or reuse work passwords for personal accounts?
A good auth system will monitor those things for you and prohibit you from using a compromised password. But there is a sound logical reason for this. There never has been for age-based password expiration.
@SuperFloppies @emanuel @alcinnz It's not the same to reuse old passwords as to reuse leaked ones. A company can check against its known-leaked password database and reject with "can't reuse a known-leaked password". If that database is stolen, no problem: it was already leaked.
But old vs leaked, there is no correlation: not all old passwords are leaked *unless the leaked database contained whole password histories*, which made it worse for all!
Security comes in layers. When there is a good reason to cast away a layer, fine. This? Not that.
But we’re done here. The merits speak for themselves.
This instance has a focus on retro video games and game collector discussion. Please, no #NSFW and other 18+ discussion on this instance. See rules for more details