Suppose you store hashed and salted passwords, e.g. with Bcrypt. One day, you learn that user Bob's password has been compromised. You set his password to a strong, random string and notify him that he must reset his password. So far so good.
But Bob goes through the password reset process and types in the same, compromised password. Now his account is once again at the mercy of the attacker.
Can Bob be prevented from using the same password again? Without a salt, that would be straightforward. You could record the old, compromised hash and compare it against the hash of the new password Bob is attempting to enter. But with a salt, that doesn't seem feasible.
Is this an unsolvable problem?
Edit: I guess I was being silly. I'm not sure why I thought this was any different than checking the password at login. As martinstoeckli says, so long as you still have the old hash and salt, you can always compare the user's input against it.
