How can I store a password history to prevent reuse?
Store the old salt and hash values. Hash the new input with any old salts and see if they match.
If it worked for checking the password when they logged in normally, it will work for checking if the password has been used before too.
If password1 = password2
, then hash(password1, salt1) = hash(password2, salt1)
.
In other words:
Bcrypt the new password with the same salt and iteration count.
Compare the hashes.
If the new hash is different from the old hash, then everything is okay (according to your criteria), and you can simply re-hash the new password with a new unique salt and store it in the database.
If the new hash is the same, then the new password is the same as the old password. Tell your user to choose a new one.