[SYNCOPE-928] check existing password before store the new one
diff --git a/core/src/main/java/org/apache/syncope/core/persistence/validation/entity/SyncopeUserValidator.java b/core/src/main/java/org/apache/syncope/core/persistence/validation/entity/SyncopeUserValidator.java
index e471f0e..5b98783 100644
--- a/core/src/main/java/org/apache/syncope/core/persistence/validation/entity/SyncopeUserValidator.java
+++ b/core/src/main/java/org/apache/syncope/core/persistence/validation/entity/SyncopeUserValidator.java
@@ -74,7 +74,8 @@
                 }
 
                 // update user's password history with encrypted password
-                if (maxPPSpecHistory > 0 && object.getPassword() != null) {
+                if (maxPPSpecHistory > 0 && object.getPassword() != null
+                        && !object.getPasswordHistory().contains(object.getPassword())) {
                     object.getPasswordHistory().add(object.getPassword());
                 }
                 // keep only the last maxPPSpecHistory items in user's password history