I use a password manager. I have no idea what ANY of my passwords are, as they're very long, very random, etc.

I get your point... but having an expiry that can't generate a notification is really bizarre. And having done enterprise financial software in a previous life (company was actually sold to FISERV, though I never went over), if our customers had been subjected to these conditions, it would have been a massive challenge.

I would think anyone enforcing password expiration would make sure the password is sufficiently (subjective) different from current password. This should be simple to enforce by asking for current password when you are asking for new password. You can perform a text match before computing whatever hash you need to store.

That is certainly how you would do password expiry if you implement it as a true security measure. However, what if you just implement it because you were told 'we need password expiry', either because bosses think it is bad practice or because of regulatory requirements. In that case, you might very well decide to implement 'any difference is fine'. And really, given what we know about password expiry, that is the better approach.

Not having it would be better, but that would be insubordination.

hmmm good way to get users to become heated with your customer support. i've implemented this feature and had the CEO of the company come down 15 floors and tell me personally to revert the change for him coz it was getting confusing for him to remember passwords. Everyone else in the company also demanded it once wind of this request spread...

This was the middle east, and yes they refused to use password manager programs because they didn't understand them

It is largely agreed that Israel won the Arab-Israeli war because their NCO's on the ground were given much more leeway to make tactical decisions of their own. This was in start contrast to the top-heavy and often bureaucratic tactical decision making of the Arab League.

Why am I mentioning this? Well, if you are an army leader, and you know that your soldiers in general have an IQ score of around 82; would you let them make their own decisions on the ground? How about if your soldiers were known for having almost 115?

Yeah, sure, how you decide to make your next password may of course be down to culture, and the decision to have a password manager is perhaps too. However at some point a password manager should be a requirement for even signing up to your service, much less becoming an employee, especially if you already know about the prevalent culture.

I don't work in the middle east anymore for a reason...there is no changing some things until there is leadership from the top

It's just too difficult to memorize a completely new, randomly generated password every 90 days. People will have to write them down, and then there's a whole new way for them to be compromised.

You'd be surprised. At my uni of 50k students the running joke was you'd just add 1 to your password every six months.

I misread you, it's fine for the current password. But they can alternate between two.

You'll need to store passwords in clear for this, not a good idea.

Not necessarily, you can have the user input the old password when setting up the new one, check it against the old hash and if it matches, do whatever comparisons you need between old and new.

Even if you don’t want users last 10 passwords to be “similar” (by whatever your definition of similar is), you can still hash the similar variants when you hash the original and check them.

I’m not saying whether this is a good idea or not. I haven’t thought through it.

Yep. I think I can recall exactly one corporate network that prevented password(n+1) combinations. Most don’t and as a result my corp passwords have historically not been great.