Password Reuse Vulnerability on AWS Sign-in Page via Password Reset Flow leads to Security Policy Violation

## Asset URL: ██████ ## Summary: The AWS sign-in page allows users to reuse old passwords when resetting their password, which violates security best practices outlined in OWASP Authentication Cheat Sheet and NIST 800-63B Digital Identity Guidelines. This misconfiguration could potentially weaken account security by allowing users to maintain the same password indefinitely. ## Steps To Reproduce: 1. Navigate to the AWS sign-in page: ██████████ 2. Click on "Forgot password" link 3. Complete the password reset process via email 4. When setting a new password, enter the same password that was previously used 5. The system accepts the reused password without any restrictions or warnings ## Supporting Material/References: * Video demonstration: amazon_bounty.webm According to OWASP Authentication Cheat Sheet: "Users should not be able to reuse their recent passwords when choosing a new password. At a minimum, the application should ensure that the new password is not the same as the current password." And per NIST 800–63B Digital Identity Guidelines: "When processing a password change request, verifiers SHALL compare the prospective secrets with secrets previously used by the subscriber and SHALL reject them if they are found to be the same as one previously used." These standards emphasize preventing password reuse to enhance account security. ##Timestamp: 2026-01-16 3:00am