[Semaphor]

Edit: I misunderstood Troy.

Original comment:

No, it doesn't penalize them (at least not his idea, implementations might), it simply fast tracks pwned emails and doesn't apply the normal bot checks that would otherwise apply to everyone.

[cobertos]

That's not how he's suggesting it would work. All checks would normally be applied to build a "how human are you" or "humanness" score. He's suggesting a pwned email test and arguing it would be a good signal for "humanness". The implementation might not make it an explicit penalty (-1 to your "humanness" score), but not being pwned might not help your case (+1 if you are pwned, but +0 if you're not).

[TheCleric]

Yeah it would definitely be good to integrate it into a Bayesian approach where it is mixed with other factors to generate a % chance of being human vs. bot.

[vachina]

I wonder how many pwned email and password pair still match. Crooks can take control of these pwned accounts and pretend to be trustworthy.

[micahdeath]

It depends on the risk. I have an account that was pwnd (with the same password) but there is no risk to me as there isn't anything useful in that account (not even a DoB, Address or even a Name.) Worse case, someone changes the password and locks me out. Then I'll create another account as it's not a big deal.

[jcuenod]

The point would not be that it's a threat to you (though it may be), it's that compromised accounts (like one you don't care about) are a threat to an ecosystem that can't identify whether a "user" is a human or a bot.

That is, your compromised account could be used in an attack and it would look like a human.