This has happened more than a few times for me, a site I’m on will suddenly not accept my correct password, forcing me to reset it, only for it to say “new password can’t be the same as the old password” when I try it as the new one, if it knew the password was the old password, why not just let me login in the first place?
Edit: I think most of the answers here are misunderstanding the question, I know for certain I’m using the correct password at first, once it forces me to reset, I type in the SAME password to check if this situation is happening and that’s when it says “new password can’t be the same as the old password”, I then give up and make a new one cuz what else can I do. This has happened about a dozen times over my time on the internet
In: 25
Passwords are (should be) stored in a database as a “hash”
When you put in your password, the website hashes it then compares the hash to the database.
When. You do a password reset, it compares the hash of your replacement password to the existing hash.
A hash is a one-way trap. We can’t (easily, quickly) convert a hash back to a password which is why the site cannot tell you the password. Of course, if it can it probably means your password is stored in a cleartext or reversible database. This is bad.
There could be two reasons for that. First, you kept making some silly mistake when trying to enter your password. Maybe you had caps lock on. Maybe a key on your keyboard was sticky and not pressing down properly. When you reset your password, you don’t repeat this mistake and enter what is your correct password.
Second, it might be a previous password from before. Let’s that you have your first password. For whatever reason, you can’t remember that password at the moment or are not typing it correctly, so you reset and create password no. 2. Later, you screw up with password no. 2, so you go to create password no. 3. However, since your mind works in consistent matter and your passwords follow a general trend, you try to make password no. 1 your new password no. 3. The site won’t let you because it is an old password.
I have also run into the “incorrect password” *reset password* *enter what i thought it was* “new pass word can’t be old password” thing.
some websites won’t let you reuse a certain number of passwords, so say your last three. i have also decided that i may as well accept that this might be a different way to say your password is expired
If the password it’s rejecting is not your most recent but is in your last *n* passwords, then it’s just comparing the hashed version of your password to the last *n* hashed versions and all is as it should be.
But that’s not what you’ve described. If it’s rejecting your *current* password, then your password has been marked as expired/invalidated. There’s a bunch of possible reasons. Some of them:
You’ve entered an incorrect password too many times, and now you’ve finally gotten it right when you do the reset (this has happened to me)
Some kind of auto-login using a saved password has been trying to connect using an out-of-date password (unusual in the modern web but I’m sure there’s a coder out there who’s capable of re-introducing this problem into the world)
Someone trying to get into your account has entered an incorrect password too many times
The company/website has reason to believe they’ve been compromised and they’re forcing all users to move to a new password
The company/website has changed their policy on password strength and is forcing users to pick a new password. In this case your existing password was already compliant but the force is a blanket one
The company/website expires passwords periodically but somehow their comms to you weren’t clear that this is what’s happening
Good question. I guess somebody started it, and then everybody did it and it’s also relatively easy to implement. But it’s not really beneficial to change passwords regularly, they certainly don’t go bad over time. It makes passwords even harder to memorize and encourages bad practices like weak passwords, so there are not many places left that still do that.
The real answer to your question is: the error message is wrong/unclear.
Your existing password is not longer being accepted for some reason: it could have expired, it could have been invalidated over security concerns, …
The error message should be clearer, but that’s often not a priority. It’s easy to miss or forget (the confusing error message is a transient issue anyway, once the password has been reset it no longer matters). It’s easy to deprioritise against other functionality that more directly impacts revenue because “it still works”. And in the case of potential security breaches, addressing the direct security impact (requiring a new password) is more urgent than updating the rest of the password-handling flow, which may be dealt with at a later stage.
The error message is just wrong; the reason is usually unpreparedness for a forced reset, or simple oversight during the implementation.
Latest Answers