[Eun]

I am a bit shocked, that they want to keep old passwords. Imagine some hacker gains access to a username - password list. But leeks it a half year later (yes that had happened). Since you never changed the password every buyer has access to your account. But, if you would have changed your password, even a minor change, the attackers will ignore your account since they have (usually) a lot of other accounts to try. And why brother with the ones that doesn't work?

Password changing gives an advantage even if it's just a minor change. Keep that in mind.

[jjp]

> I am a bit shocked, that they want to keep old passwords.

Presumably that is required to stop simple password rotation of Password1, Password2, Passsword1

> why brother with the ones that doesn't work?

That's going to depend what the attack is against. If it's a consumer facing web site then you're probably right and the attacker will move right along unless it's a high profile account (Zuckerberg et al). If it's an internal system then attack is probably more interested in named accounts/roles and spending a few seconds to workout whether the password is an easily decipherable sequence will quickly pay off.

[Eun]

True in some points. Password rotation is bad. But isn't it better to rotate a bad password than keeping a bad password?

Furthermore if you have a internal system, the administrator should enforce certainly password conditions. They could even forbid the use of old passwords...

[brudgers]

One common criterion for a 'bad password' is a password that is already contained in a rainbow table or is easily generated upon creation of a new rainbow table.

If the current password is in the table, how long it has been in use doesn't matter.

Rotating passwords mostly addresses an internal workplace issue of sharing passwords between coworkers. That's a symptom of security culture problems and probably more deeply operational organization problems => why don't people have access to the tools they need when they need them?