Trying to keep user from using an old password for their new one

help you fix your problem First, I would caution you to never, ever, ever, ever, ever assume the user is who he says he is, especially when it comes to changing the very key that allows them access to their account. It is a very well used method to always require a password authentication to edit the password.
As for entering the password twice, that is mostly done so on the back end you can compare the two passwords and make sure that they are identical. This is done to make sure that the user has intended to type the password as it is typed. The odds of making the same typo twice in a row are not likely, and as such if the two passwords are identical you can pretty well assume that they are typo free.

wish helps you I think you miss to define $username = $_POST["username"]; and $password= $_POST["password"];

$username = $_POST["username"];
$password= $_POST["password"];

if ($password!=$user[$username] || ((empty($_POST['username']) && 
(!empty($_POST['password'])))) || (empty($_POST['password']) && 
(!empty($_POST['username'])))) 

I wish this help you Ok, the solution would be to use the Dependency Injection and then use the check() method. Here is the code :

<?php    
/**
* @file
* contains \Drupal\customer_profile\Controller\ProfileUpdateController
*/
namespace Drupal\customer_profile\Controller;

use Drupal\Core\Controller\ControllerBase;

use Symfony\Component\HttpFoundation\JsonResponse;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\DependencyInjection\ContainerInjectionInterface; 
use Symfony\Component\DependencyInjection\ContainerInterface;
use Drupal\Core\Password\PasswordInterface;

 class ProfileUpdateController extends ControllerBase implements ContainerInjectionInterface {

  public function __construct(PasswordInterface $password_hasher, AccountInterface $account) {
   $this->passwordHasher = $password_hasher;
   $this->account = $account;
  }

   public static function create(ContainerInterface $container) {
     return new static(
       $container->get('password'),
       $container->get('current_user')
     );
   }

   public function updatePassword() {
     //global $user;
     $response = new \stdClass();
      //check the plain password with the hashed password from db
     $pass = $this->passwordHasher->check('secret', 'hashed_password_from_db');

     $response->password = $pass;
     // this will return true if the password matches or false vice-versa
     return new JsonResponse($response);
   }
  }
   ?>

  $user = User::load(1);
  $user->setPassword('new_password_secret');
  $user->save();

fixed the issue. Will look into that further Using your code and your example file, I unfortunately cannot reproduce the issue: The code executes without throwing an exception.
But it does not yet do what you want either: The result file still is encrypted. Thus, here some information on that.

class MyReader extends PdfReader {
    public MyReader(final String filename, final byte password[]) throws IOException {
        super(filename, password);
    }
    public void decryptOnPurpose() {
        encrypted = false;
    }
}

public void manipulatePdf(String src, String dest) throws IOException, DocumentException {
    MyReader.unethicalreading = true;
    MyReader reader = new MyReader(src, "abc123".getBytes());
    reader.decryptOnPurpose();
    PdfStamper stamper = new PdfStamper(reader, new FileOutputStream(dest));
    stamper.close();
    reader.close();
}

PdfReader.unethicalreading = true;
PdfReader reader = new PdfReader(inputStream, "abc123".getBytes());

Field encryptedField = PdfReader.class.getDeclaredField("encrypted");
encryptedField.setAccessible(true);
encryptedField.set(reader, false);

PdfStamper stamper = new PdfStamper(reader, outputStream);
stamper.close();
reader.close();

To fix the issue you can do In the end, I figured out the issue: