Right now it is simple to prevent a user from authenticating when they have a compromised password. However, we should support more flows:
- Allow the user to authenticate, but force the user to change their password before doing anything else
- Allow the user to authenticate, but post a warning that the password was compromised
- Checking when a password is changed
Related gh-15745