[squeaky-clean]

My university required us to change passwords every semester, and the password couldn't contain a similar enough substring of any of your old passwords. (I think 4 characters was the threshold, it would also detect reversed substrings).

I didn't really know much about web dev or security at the time, but thinking back to it now, there is no safe way they could have done that.

[e12e]

Technically, they might have been able to take the new password, which would traditionally not have been hashed on the client side, and try and permute it to see if it hashed to the same value as the old hash. Granted, with current best-practices in stretching, it probably shouldn't have been feasible to do even that -- but for salt+sha1 it might have worked.

They probably didn't though.