Password Policy: No Reuse of Past Password #98
Description
Enforce that users cannot reuse their current password when changing their password.
FUTURE: Consider storing past passwords to ensure that the user cannot use any of the past X passwords. This would require storing past passwords encrypted and comparing the new password hash with the old password hashes. At the moment, it might be too much to store old passwords and could be some sort of a liability? Perhaps worth researching on OWASP or other security forums.