In my experience though, services will use language along the lines “the password can’t be the same as your last password” but if you set a random password temporarily, you then still can’t set the password to the one you wanted. Meaning they are checking earlier passwords too.
In fact I have yet to come across one where you can re-use password by first setting it to something else. Have you?
I think most developers just assume people aren’t going to even try old passwords, only the most recent one.
I have. My former bank disallowed reusing any of your previous passwords, and also did “clever” things like flagging you for using sequences of characters from your old passwords as well.
All provisos that revealed that they were storing passwords (including old passwords) in plain text, because there’s no way they’d be able to make those determinations if they were irreversibly hashing passwords correctly.
Sometimes.
In my experience though, services will use language along the lines “the password can’t be the same as your last password” but if you set a random password temporarily, you then still can’t set the password to the one you wanted. Meaning they are checking earlier passwords too.
In fact I have yet to come across one where you can re-use password by first setting it to something else. Have you?
I think most developers just assume people aren’t going to even try old passwords, only the most recent one.
I have. My former bank disallowed reusing any of your previous passwords, and also did “clever” things like flagging you for using sequences of characters from your old passwords as well.
All provisos that revealed that they were storing passwords (including old passwords) in plain text, because there’s no way they’d be able to make those determinations if they were irreversibly hashing passwords correctly.
TL;DR: They’re no longer my bank.
no, that was not my point