If you're building a web system and your password complexity requirements forbid users from reusing any of their ten last used passwords, especially if reqs also mismatch with prevailing practices, understand that you are condemning every single user who doesn't use a password manager to "Forgot Password" on EVERY LOGIN until the end of time. I'm not creating a new mnemonic for that piece of shit, and so I'm probably not paying the bills timely either when the reset facility interrupts me!
I have this one account with a bank that requires specific characters that others don't, forbids characters that others require, and rejects any of your ten last used passwords.
I have logged in properly to this account exactly once, four years ago when I created it. Never again
