Maybe I'm missing something, but it appears like if you expose this new assertion as part of a service for a change password process on your front end, that you could potentially be allowing for brute force attempts against your accounts. Any "bad" attempt at the old password should count against the "failed attempts" on the account, however, this assertion does not do that, nor does it lock/disable the account like it should. Further, it appears that it is evaluating the contents of the new password first. This means there is yet another way of brute forcing this assertion by brute forcing against the new password until "this is too similar to the current/old password" is received.
Can someone tell me if I'm misunderstanding something? We want to use this, but as it stands, it opens us up to automated brute force attacks.