Sometime soon I will deploy a new feature to our login page - we will automatically check for compromised passwords against the Have I Been Pwned database.

Users trying to login with passwords that are found to be compromised will not be allowed to login and will be redirected to a page explaining why with the option to initiate the reset password process. If your password has been compromised you will need access to your email to successfully reset it.

Important things to note:

- compromised passwords mean the password is the same as a password used in some other service that have been leaked. This affects people who re-use passwords and people who use common passwords 

- this doesn't mean our system was compromised - it only means the password was compromised somewhere else (and might even be that it's not your password that was compromised but only that you used a common enough password)

- this doesn't mean we know your password - it only means the password entered in the form will be checked during the login process, as received

- all sessions will be killed before this change goes live

- the API does not require your whole password to be sent. The short explanation is that we hash the password as entered in the form and send only the five first digits of the hash, with the API responding with a list of other digits that we can then compare to our entire hash. The API is described here.   

If you want to be proactive and check your password now, I suggest you visit Have I Been Pwned: Pwned Passwords any time.