With respect to a given information system (IS) asset, a log of expired passwords, used primarily for automatic comparison with proposed new passwords. A password history is used to ensure that proposed new passwords were not used in the recent past, if ever, in connection with the IS asset in question. A password history may be limited to only a prescribed number of expired passwords (the usual case) with any overflow (i.e., the earliest) being discarded as new ones are added; or it may retain expired passwords only for a prescribed period of time; or both. A password history represents a tool that may be used to ensure that passwords are not repeated within a period of time that is deemed consistent with the sensitivity of the protected information system asset.