Password Reuse Prevention

How Emberly prevents you from reusing old passwords when updating your credentials.

When you change your password, Emberly checks it against your past passwords to prevent reuse. This reduces risk from credential leaks.

How It Works

Emberly stores an encrypted history of your last 12 passwords. When you set a new password:

The new password is checked against your last 5 passwords
If it matches any, the change is rejected with an error
If it's unique, the change is accepted and the new hash is added to history

Older entries beyond 12 are automatically cleaned up.

What's Stored

Only bcrypt hashes are stored — never plaintext passwords. The same algorithm used for your current password is used for history entries.

Database: PasswordHistory
──────────────────────────────────
id         String (CUID primary key)
userId     String (foreign key)
password   String (bcrypt hash)
createdAt  DateTime

Error Messages

If you try to reuse a recent password:

That password was recently used. Please choose a different password.

This is shown on:

The Profile → Security settings page when changing your password
The Password Reset flow after clicking a reset email link

Backward Compatibility

If you created your account before this feature was added, your current password is automatically added to history the next time you log in. No action is needed.

Password Requirements

Rule	Requirement
Minimum length	8 characters
Reuse window	Cannot reuse last 5 passwords
History kept	Last 12 passwords stored
Storage	bcrypt hash only — never plaintext

Tips for Strong Passwords

Use a password manager to generate unique credentials for every site
Avoid predictable patterns like Password1 → Password2
A passphrase (correct-horse-battery-staple) is more secure and easier to remember than a short complex password
Enable two-factor authentication for an extra layer of protection