This is a good idea, if the passwords are the ones people change *from* (i.e. once you change your password, it gets into that list). This way nobody can use the password anymore (with the idea that it is a weak now, for any reason).

This is selfish, though. If that database of passwords leaks, they are prime candidates to test on *other* sites.

If you encrypt the prior passwords using a key derived from the current password, you're enabling this sort of check on password change without really sacrificing security, don't you?

> If you encrypt the prior passwords using a key derived from the current password,

How can you do that with a prior password if you didn’t store it as plaintext when it was current? You can’t encrypt something you don’t have. Unless you are encrypting the old hash, not the password.

You would have it during the password change if you did old-new-new_again, yeah?

Yeah that was the idea. I guess a lot of apps don't actually do that and just email you password reset links, in which case you can't actually recover the old password. :<

This leaks data if a collision can be found and exploited.

Assuming the user uses the password in other places, this can be a bad thing.