at moment, when password expiate user must change password.
configuration CHANGE_PASSWORD_MUST_DIFFER don't allow user reuse old password
but after change password, user can reset password to old.
my idea change logic become DON"T_ALLOW_OLD_PASSWORD_FOR_PERIOD_OF_TIME
and admin can define num of day.
user can't reuse old password has age in this range.
example: define DON"T_ALLOW_OLD_PASSWORD_FOR_PERIOD_OF_TIME = 30
user can't reset to password has age < 30 day + expiate
other i thinks this configuration and USER_LOCKING_MAX_PASSWORD_AGE_DAY should move to Password Rules