Oh, and getting back to the point, a site can store your past ten hashes without compromising security. It is fucking annoying though.
More modern security practice doesn’t require you to change your password, ever. If there is a required password change, it should be in years, not months. Your good password plus their good security practices means that even if hackers get every piece of data that company has, they still won’t be able to figure out your password for decades, or longer. And that’s only if they try your account first.
(If they take control of the website, they can just read your password when you type it. Another reason to not use the same password everywhere.)
Oh, and getting back to the point, a site can store your past ten hashes without compromising security. It is fucking annoying though.
More modern security practice doesn’t require you to change your password, ever. If there is a required password change, it should be in years, not months. Your good password plus their good security practices means that even if hackers get every piece of data that company has, they still won’t be able to figure out your password for decades, or longer. And that’s only if they try your account first.
(If they take control of the website, they can just read your password when you type it. Another reason to not use the same password everywhere.)