[chromedude]

This is a great idea, but I'd be concerned that a bunch of the users would freak out when they were told that Facebook checked whether their current password has been compromised. Anyone know how they word the notice to the users to keep non-techie people from getting concerned that Facebook is looking at their passwords?

[apendleton]

I could be wrong, but I imagine most non-techie people would assume (incorrectly) that Facebook has their plaintext passwords anyway, and that that's the mechanism by which their passwords are verified at login time. I don't feel like the concept of a salted hash is familiar to most people. As a consequence, I don't think people would actually find this especially concerning.

[oneeyedpigeon]

Seconded. With a small amount of experience over a long period of time dealing with customer support, my observation is that most people assume passwords are stored in plain-text, and don't even consider an alternative. At my current place of employment, we frequently get people phoning up, asking for their password; some seem a bit put-out when we explain we cannot provide it.

As people who know more about this, it is our responsibility to ensure those who know little, and care even less, don't have to worry about it. On the surface, this initiative by Facebook is an excellent example.