Comment by dspillett
3 days ago
Not if the check is done client-side, so the plain password never leaves you local domain. Of course the check being done client-side means that it isn't difficult to skip if you are inclined to make a smidgin of effort.
It can be done server side too, the old password can be sent along the new one and the server can verify it.