Set policy for password history
A companies security policy often has rules stating that a password may not be reused. To facilitate this many applications have a feature that allows the administrator to state how many passwords the application should remember until a password can be reused. Think, for example, a maximum of 10 password that the application must remember.
D. Planque commented
This is also one of the aspects the OWASP top 10 advises to test:
Link OWASP top10 - https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet