I am thinking of adding a small piece of logic that will test your password at login, using the http://haveibeenpwned.com/ API to determine if the password you use to login on Geekzone has been compromised in another site - reusing passwords is quite normal and people don't think much about it.
My question is - how do think a message like "The password you use on Geekzone has been previously used by yourself or someone else on another site. This password has been leaked as per http://haveibeenpwned.com/. We suggest you change your password on Geekzone and other sites. Make sure to create unique passwords for each service you use."
Do you think this is clear enough so that most people understand a compromised password wasn't leaked by Geekzone, but some other service? Suggestions?
To be clear, testing via their API never sends a password but only a hash of it. We'd do this check at login time because that's the time our scripts have your password - we salt and hash the password before it's stored in our database so we wouldn't know it.