[Moodles]

A lot of users will simply change their passwords by appending a 1, 2, 3, etc. at the end. Presumably if old passwords did sour and become compromised then Hashcat would easily crack the minor tweak on the new password.

To be fair to these companies, the reason they do passwords so terribly is because of such poor guidance and standards in the past. Even now NIST has SP 800-132 for guidance on generating a cryptographic key from a password for storage applications, which is different and often confused with guidance on storing passwords (which they don’t give advice for). There they say to use PBKDF. Also, compliance standards such as PCI don’t allow for modern storage like Argon2, so at best companies use something like bcrypt.

[Karsteski]

This is literally what I did at my last company, where we had to change our passwords every few weeks. It was so damn frustrating. I'd be fine memorizing a random string of text, but having to constantly change my passwords meant that I'd continuously get locked out until I did that.

For my own personal use, I just use a password manager + randomly generated passwords, but it seems corporations are so damn slow to pick up on these obviously beneficial things that they choose clearly antiquated standards instead.

[jrodthree24]

My company just fixed this. By requiring you to change your password by more than the last character. Really cutting edge security here.

[orthecreedence]

2password

3password

4password

...

>=]

[ozim]

https://en.wikipedia.org/wiki/Levenshtein_distance

Anything below 5 in distance gets rejected, try again, please.

While you get to change password you make 2 boxes with current and new of course and do your comparisons on it, just to explain you still keep passwords hashed.

[benhurmarcel]

password01january

password02february

password03march

...

[bombcar]

This is the main thing. A password leak either gets the password or gives you a basis for attacking variations of it.