I think gp is complaining that the second you type your password into the form, you've "used it", hence you should change it.
The gp makes a good point, but that's also why you can submit the `sha1($your_password)` instead. The only question is why did Troy allow un-hashed passwords to be submitted.
Maybe - even better - if you could submit only - say - first 8 characters of the SHA1 (and NOT the complete hash) and provide - still say - max 10 "whole" hashes found with that 8 char beginning (if more than 10 ask for a ninth char).
I mean, here is the SHA1 of my password (not really):
The gp makes a good point, but that's also why you can submit the `sha1($your_password)` instead. The only question is why did Troy allow un-hashed passwords to be submitted.