and it remembered the last 5 and wouldn't let you repeat any of them.
Heh! When I worked for the NHS my employee e-mail / profile password had to have at least one number and one letter and be a minimum of six. We were always trying to get it up to twelve, to the horror of non-tech managers and IT support staff.
mine was something like
xxxxxxxxxxxxx30 when I was thirty
xxxxxxxxxxxxx31 when I was thirty one
xxxxxxxxxxxxx32 when I was thirty two
Their system only checked that old and the new were different, and it had to be changed once a year. No big deal. The average NHS employee doesn't actually have anything sensitive or controversial in their personal accounts. Auditor accounts may have had attachments with weaknesses found in systems, but with one or two unusual exceptions, we're talking standard stuff, such as a lack of backup admin user access if the boss gets killed. In reality, IT would sort it in an afternoon.