Hi there,

I understand that you would like to set password reuse policies and would like to know if there is a way to configure parameters on a user account to disallow them from using the same password that has previously been used.

Regretfully, at the moment, Cognito does not support preventing users from re-using the same password.

By design, Cognito does not transfer and store user's password to Cognito actually, instead it uses Secure Remote Password (SRP) protocol for password verification for authentication. You can also find more SRP information here[1]. For security reasons, Cognito only transfers the SRP password verifier, instead of actual password of a user under the hood. Hence, Which is the reason it does not store the history of previous password of a user and compare them against the new one that the user is trying to change.

A workaround to apply this restriction, would be implementing your own policy verification when calling Change Password API [2] in your code, or saving the password hash as a custom attribute and then compare it with the new one. Whatever options would involve storing passwords and this is not in line with security best practices, so I would recommend you to check your company’s security policies before doing anything.

please keep an eye on the What's New Page[3] and AWS Blogs[4] to know more about future releases. Additionally, you can also monitor Cognito Document history page[5], where new Cognito feature release are announced.

I hope you find this information helpful.

Have a great day ahead.

========= Resources

[1] SRP: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

[2] Change Password API: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ChangePassword.html

[3] What's New: https://aws.amazon.com/new/

[4] AWS Blogs: https://aws.amazon.com/blogs/aws/

[5] Document History for Amazon Cognito - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-document-history.html