This has happened more than a few times for me, a site I’m on will suddenly not accept my correct password, forcing me to reset it, only for it to say “new password can’t be the same as the old password” when I try it as the new one, if it knew the password was the old password, why not just let me login in the first place?
Edit: I think most of the answers here are misunderstanding the question, I know for certain I’m using the correct password at first, once it forces me to reset, I type in the SAME password to check if this situation is happening and that’s when it says “new password can’t be the same as the old password”, I then give up and make a new one cuz what else can I do. This has happened about a dozen times over my time on the internet
In: 25
I’ve done this numerous times and for me at least, it’s likely it’s been user error. When it’s asked to change the password, I’ve tried putting the password I thought it was (and was refused initially) and it comes up that message that it cannot be the same as prev. I just then go out of the password reset and try logging in again and it works.
Two separate things:
1. The old password has expired. They cannot accept it and log you in because it is considered invalid and insecure.
2. The new password cannot be the same as the last one because of a security policy.
The real answer to your question is: the error message is wrong/unclear.
Your existing password is not longer being accepted for some reason: it could have expired, it could have been invalidated over security concerns, …
The error message should be clearer, but that’s often not a priority. It’s easy to miss or forget (the confusing error message is a transient issue anyway, once the password has been reset it no longer matters). It’s easy to deprioritise against other functionality that more directly impacts revenue because “it still works”. And in the case of potential security breaches, addressing the direct security impact (requiring a new password) is more urgent than updating the rest of the password-handling flow, which may be dealt with at a later stage.
The error message is just wrong; the reason is usually unpreparedness for a forced reset, or simple oversight during the implementation.
If you’re using a VPN maybe the site just pretends your passwort is wrong because it doesn’t approve of the usage/doesn’t want you to see geoblocked content. Very specific and weird way to deal with the issue from their part, but had this happen to me.
Good question. I guess somebody started it, and then everybody did it and it’s also relatively easy to implement. But it’s not really beneficial to change passwords regularly, they certainly don’t go bad over time. It makes passwords even harder to memorize and encourages bad practices like weak passwords, so there are not many places left that still do that.
Its forcing you to pick a new password for added security. This site believes that old passwords that have been used by you are not as secure because someone else could have gained access to them and is therefore making you pick a new one.
If the password it’s rejecting is not your most recent but is in your last *n* passwords, then it’s just comparing the hashed version of your password to the last *n* hashed versions and all is as it should be.
But that’s not what you’ve described. If it’s rejecting your *current* password, then your password has been marked as expired/invalidated. There’s a bunch of possible reasons. Some of them:
You’ve entered an incorrect password too many times, and now you’ve finally gotten it right when you do the reset (this has happened to me)
Some kind of auto-login using a saved password has been trying to connect using an out-of-date password (unusual in the modern web but I’m sure there’s a coder out there who’s capable of re-introducing this problem into the world)
Someone trying to get into your account has entered an incorrect password too many times
The company/website has reason to believe they’ve been compromised and they’re forcing all users to move to a new password
The company/website has changed their policy on password strength and is forcing users to pick a new password. In this case your existing password was already compliant but the force is a blanket one
The company/website expires passwords periodically but somehow their comms to you weren’t clear that this is what’s happening
The premise is wrong. Despite the wording of the message, the site doesn’t know your old password— only what “hash” (result of a calculation that can only be done easily in one direction) it has. If your new password results in a hash that it already knows, you’ll get the message.
I have also run into the “incorrect password” *reset password* *enter what i thought it was* “new pass word can’t be old password” thing.
some websites won’t let you reuse a certain number of passwords, so say your last three. i have also decided that i may as well accept that this might be a different way to say your password is expired
Passwords are (should be) stored in a database as a “hash”
When you put in your password, the website hashes it then compares the hash to the database.
When. You do a password reset, it compares the hash of your replacement password to the existing hash.
A hash is a one-way trap. We can’t (easily, quickly) convert a hash back to a password which is why the site cannot tell you the password. Of course, if it can it probably means your password is stored in a cleartext or reversible database. This is bad.
Latest Answers