Right now keycloak supports one password history policy - depending on configuration, when the password is changed it can't be reused. We have an option to configure a number of passwords stored, if the password is too recent - the policy will kick in.
Feature enhancement would be to add an option to define a period instead of the number of uses. Let's say we want to make sure that users can't reuse the same password in a certain number of days.
The time-based policy would work with the current password history policy, more restrictive policy would be preferred if both are set.

Naming used in examples:

• history policy = current implementation, a user can't reuse password X times
• time based policy = approach that calculates password age. To reuse, the password has to be older than X days.

Scenario 1:
Realm configuration

• time-based policy set to 30 days
• history policy set to 5 passwords

The user recently changed the passwords:

• password_1 35 days ago
• password_2 25 days ago
• password_3 15 days ago
• password_4 10 days ago

When the user tries to reuse password_1 the history policy kicks in, a new password should be different.

Scenario 2:
Realm configuration

• time-based policy set to 30 days
• history policy set to 2 passwords

The user recently changed the passwords:

• password_1 25 days ago
• password_2 20 days ago
• password_3 15 days ago
• password_4 10 days ago

When the user tries to reuse password_1 the time-based policy kicks in, a new password should be different.

Scenario 3:
Realm configuration

• time-based policy set to 30 days
• history policy set to 2 passwords

The user recently changed the passwords:

• password_1 35 days ago
• password_2 20 days ago
• password_3 15 days ago
• password_4 10 days ago

When the user tries to reuse password_1 it's possible as both policies allow it. If the user tries password_2, a time-based policy will kick in not allowing the password to be reused. If the user tries password_3 and password_4 both policies wouldn't validate the change.