If you're building a web system and your password complexity requirements forbid users from reusing any of their ten last used passwords, especially if reqs also mismatch with prevailing practices, understand that you are condemning every single user who doesn't use a password manager to "Forgot Password" on EVERY LOGIN until the end of time. I'm not creating a new mnemonic for that piece of shit, and so I'm probably not paying the bills timely either when the reset facility interrupts me!