> I am a bit shocked, that they want to keep old passwords.
Presumably that is required to stop simple password rotation of Password1, Password2, Passsword1
> why brother with the ones that doesn't work?
That's going to depend what the attack is against. If it's a consumer facing web site then you're probably right and the attacker will move right along unless it's a high profile account (Zuckerberg et al). If it's an internal system then attack is probably more interested in named accounts/roles and spending a few seconds to workout whether the password is an easily decipherable sequence will quickly pay off.
