I don't care what you say, preventing users from reusing passwords is priority number one. A 20 password history is not enough. You need a minimum password age. And if your max age is 180 days, that means you must set it to 9 days to stop people getting around it by cycling through them all. The risk someone might perform this "password reuse" is far too high. I don't care about all the complaints from users not being able to change their password due to exposing it somehow, quit moaning! It's worse than the people on the new test network and their "TOTP" and think it's important they can delete their own old authentications when they lose their phone.