diff --git a/lib/kadm5/chpass_s.c b/lib/kadm5/chpass_s.c
index 8ce0ec0cf..c6551a64e 100644
--- a/lib/kadm5/chpass_s.c
+++ b/lib/kadm5/chpass_s.c
@@ -46,7 +46,7 @@ change(void *server_handle,
     kadm5_ret_t ret;
     Key *keys;
     size_t num_keys;
-    int cmp = 1;
+    int existsp = 0;
 
     memset(&ent, 0, sizeof(ent));
     ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
@@ -70,11 +70,11 @@ change(void *server_handle,
     }
     ent.entry.kvno++;
     if (cond)
-	cmp = _kadm5_cmp_keys (ent.entry.keys.val, ent.entry.keys.len,
-			       keys, num_keys);
+	existsp = _kadm5_exists_keys (ent.entry.keys.val, ent.entry.keys.len,
+				      keys, num_keys);
     _kadm5_free_keys (context->context, num_keys, keys);
 
-    if (cmp == 0) {
+    if (existsp) {
 	ret = KADM5_PASS_REUSE;
 	krb5_set_error_message(context->context, ret, "Password reuse forbidden");
 	goto out2;
diff --git a/lib/kadm5/keys.c b/lib/kadm5/keys.c
index b66d917a4..9a8415d84 100644
--- a/lib/kadm5/keys.c
+++ b/lib/kadm5/keys.c
@@ -64,37 +64,39 @@ _kadm5_init_keys (Key *keys, int len)
 }
 
 /*
- * return 0 iff `keys1, len1' and `keys2, len2' are identical
+ * return 1 if any key in `keys1, len1' exists in `keys2, len2'
  */
 
 int
-_kadm5_cmp_keys(Key *keys1, int len1, Key *keys2, int len2)
+_kadm5_exists_keys(Key *keys1, int len1, Key *keys2, int len2)
 {
-    int i;
-
-    if (len1 != len2)
-	return 1;
+    unsigned int i, j;
 
     for (i = 0; i < len1; ++i) {
-	if ((keys1[i].salt != NULL && keys2[i].salt == NULL)
-	    || (keys1[i].salt == NULL && keys2[i].salt != NULL))
+	for (j = 0; j < len2; j++) {
+	    if ((keys1[i].salt != NULL && keys2[j].salt == NULL)
+		|| (keys1[i].salt == NULL && keys2[j].salt != NULL))
+		continue;
+
+	    if (keys1[i].salt != NULL) {
+		if (keys1[i].salt->type != keys2[j].salt->type)
+		    continue;
+		if (keys1[i].salt->salt.length != keys2[j].salt->salt.length)
+		    continue;
+		if (memcmp (keys1[i].salt->salt.data, keys2[j].salt->salt.data,
+			    keys1[i].salt->salt.length) != 0)
+		    continue;
+	    }
+	    if (keys1[i].key.keytype != keys2[j].key.keytype)
+		continue;
+	    if (keys1[i].key.keyvalue.length != keys2[j].key.keyvalue.length)
+		continue;
+	    if (memcmp (keys1[i].key.keyvalue.data, keys2[j].key.keyvalue.data,
+			keys1[i].key.keyvalue.length) != 0)
+		continue;
+
 	    return 1;
-	if (keys1[i].salt != NULL) {
-	    if (keys1[i].salt->type != keys2[i].salt->type)
-		return 1;
-	    if (keys1[i].salt->salt.length != keys2[i].salt->salt.length)
-		return 1;
-	    if (memcmp (keys1[i].salt->salt.data, keys2[i].salt->salt.data,
-			keys1[i].salt->salt.length) != 0)
-		return 1;
 	}
-	if (keys1[i].key.keytype != keys2[i].key.keytype)
-	    return 1;
-	if (keys1[i].key.keyvalue.length != keys2[i].key.keyvalue.length)
-	    return 1;
-	if (memcmp (keys1[i].key.keyvalue.data, keys2[i].key.keyvalue.data,
-		    keys1[i].key.keyvalue.length) != 0)
-	    return 1;
     }
     return 0;
 }