In case of a breached user account due to a password leakage, a user can change his own password with the same password further perpetuating malicious access. Note that in case of a breach, If a user is strictly prompted to change his own password by the application administration, he can by design use the same password, therefore, blocking the action effectiveness.
Do not allow a user to change his password with the same password by keeping track of the last 5 already used password hashes. Ensure that the tracking system does not save the previously used passwords and actually keeps track of the password unique hash (recommended to be salted).
idormenco
commented
4 years ago
In case of a breached user account due to a password leakage, a user can change his own password with the same password further perpetuating malicious access. Note that in case of a breach, If a user is strictly prompted to change his own password by the application administration, he can by design use the same password, therefore, blocking the action effectiveness.
Do not allow a user to change his password with the same password by keeping track of the last 5 already used password hashes. Ensure that the tracking system does not save the previously used passwords and actually keeps track of the password unique hash (recommended to be salted).