Currently the password history is also saved if the "password history" seting is disabled. This means a lot of old passwords are saved in the database, without an advantage (as new passwords aren't checked against them anyway).
In case the database is leaked to an attacker, they gain the hashes of a lot more old passwords. This puts users in danger, who e.g. changed their old passwords to new policy-compliant passwords because of our app, but still use their old insecure passwords on other platforms. If an attacker cracks the hash, the attacker can then retry these passwords with their other accounts.
With the small improvement of not storing old passwords or even dropping the table if the setting is disabled, less old passwords could be leaked.
PVince81
commented
5 years ago
Currently the password history is also saved if the "password history" seting is disabled. This means a lot of old passwords are saved in the database, without an advantage (as new passwords aren't checked against them anyway).
In case the database is leaked to an attacker, they gain the hashes of a lot more old passwords. This puts users in danger, who e.g. changed their old passwords to new policy-compliant passwords because of our app, but still use their old insecure passwords on other platforms. If an attacker cracks the hash, the attacker can then retry these passwords with their other accounts.
With the small improvement of not storing old passwords or even dropping the table if the setting is disabled, less old passwords could be leaked.