If the Crowd directory is configured to disallow repeated/old passwords on password change, the reset attempt will be rejected if the user attempts to input a repeated/old password.
The problem is that after the user attempts to key in a new password afterward the rejected attempt, it will display an error message saying that the password token is now invalid and the user will be required to request for a new token.
Either one of the following:
- After the initial password reset attempt is rejected, the user should be notified that the password reset token is now invalid and be prompted to create a new one instead immediately.
- Allow the user to continue with the password reset attempt and reset their password to an accepted one.