It is. The watershed publicity moment was in 2010, when the research paper came out.[0] It took another 6-7 years before the news percolated high enough in the political chain, and now both NIST and NCSC recommend against the outdated practices. And the infosec community had been arguing against the stupidity for what, 20+ years?
Now, there is a place for rotation - when the so called password is in reality a shared secret. (Eg. the secrets in payment gateways.) Such things need to be rotated, because the basic assumption is that they will be compromised. No matter what you do, someone will copy-paste a long-lived secret to the wrong place at some point.
Thanks. What I find the worst about 'must not be similar to past pw' is that you have to store the pw in plain text somewhere (or at least retrievable).
An alternative to storing the pw in plain text is to ask the user to provide their current password at the same time as the new password. The password change routine can then check the current password is correct (which protects against the threat of an attacker coming across an unlocked terminal with a logged-in session and changing the password) and provides the current password against which the new password can be compared.
Now, there is a place for rotation - when the so called password is in reality a shared secret. (Eg. the secrets in payment gateways.) Such things need to be rotated, because the basic assumption is that they will be compromised. No matter what you do, someone will copy-paste a long-lived secret to the wrong place at some point.
0: https://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf