Respond to lists of user ids/passwords from other sites

[UppaJung]

When a list of user ids (usernames/emails)/passwords from a compromised site is obtained, the system should facilitate

1. Testing if a user used the same password on that other site in real time if the password is known.
2. Testing the next time the users' correct password is entered if we only have a hash of the password (but know the hash function).
3. Adding an attribute to the account so that it can be searched easily and so password-reset can be enforced.
4. Revoking any cookies created after the suspected date of compromise or otherwise provide less benefit to having such a cookie.
5. Optionally prevent all logins from clients that do not have cookies that predate the compromise.
6. Track compromised passwords as a new type to use when penalizing blocking attacks. The use of a compromised password from an iP the user has logged in before may be an indicator that an IP is trying to login with these passwords.