Why clear the history in the first place? Presuming you follow good password practices by not reusing passwords, what is the security risk with keeping a historical record of the old values?
I have encountered three scenarios where destroying old passwords would have left me in the lurch:
- The password-change mechanism silently fails and I do not notice until the next login.
- The server suffered a failure and needed to be restored to yesterday’s backup. Those that changed their password this morning need to know their old password.
- If I change my work password and my laptop is at home, it continues to use the old password until I bring it into the office so that it can sync with Active Directory.
I get that “one” old password may be enough, but I have had times where my new work password was not accepted so I had to select a new one moments later — meaning that the laptop would need the 2x old password.