Monitor use of old passwords

I agree that using the previous password will be a common error of legitimate users. I think however that use of passwords older than that would always indicate compromise. This could be so much more important to log on an ssh server, for instance, than simply having a message in a log that an incorrect password attempt was blocked. Regardless of how an attempted intruder obtained an old password, the attempted use of a password older than the current or previous one should be a red flag for the organization.