You might want people to change passwords on regular intervals, like every 90 days. However, you don’t want them to just change it right back since that eliminates the purpose.

That same restriction exists all the time, no matter the reason for the change.

A lot of popular libraries will allow you to modify the timings for forced password changes, and minimum password history. People might disable the forced rotation portion, but not care about the password history, despite it not being relevant without forced changed passwords.

It’s a security feature. The limit on attempts is to prevent someone guessing your password, either manually or via a program. The prohibition on using previously used passwords is also a security feature, it makes it more difficult to guess future passwords if past passwords can’t be used. The amount of attempts are arbitrary and more secure sites/networks/whatever you’re logging into will often have more restrictions (special characters, capital letters, numbers, no recogbizable words, etc.)

It’s a common security “best practice” to maintain password history and disallow reuse of passwords. The idea being that requiring a different password each time the password is reset makes it less likely that your account can be compromised.

Some security experts believe that, if you allow people to reuse passwords, they will cycle through a small number endlessly with all of their accounts. Instead, users should create unique passwords each time.

Others believe that doing this causes users to create less-secure passwords because they’ve exhausted their ability to come up with something memorable. So, they resort to reusing old passwords with minor adjustments (i.e. “Passw0rd!” becomes “P4ssw0rd!”).

Many of these beliefs are based on outdated research. For instance, the whole “8 characters, capital, lowercase, and a number” thing..? That’s been condemned by the guy who came up with it. It’s actually terrible for security.

Multi factor authentication (particularly unrestricted factor authentication like Google Authenticator) is the best widely-available security at the moment.

The reason why you can’t use a password you originally had is because users would just continually use the same password. If the combination is always the same it makes it much easier to guess over time. It’s easier to hit a stationary target than a moving one.

If you were going to guess a card out of a standard 52 card deck, and you had unlimited time, you’d eventually get it. The chance you’ll get it right is lower if after three failures the ‘owner’ of the deck shuffles the card.

The chance of guessing it is even *lower* if you have to correctly guess the card *and* roll a dice. So a password with a good amount of uppercase letters, lowercase letters, special characters and numbers is like guessing two cards correctly, predicting a dice roll, and correctly guessing 5 coin tosses.