Optionally set a different password match threshold to warn users

[damonmorgan]

You may want to treat pwned passwords differently for new users vs existing users.

For example you may only want to reject passwords on sign up that are common (min_password_matches = 1000) but then still warn users if their password occurs at all in the list giving them the option to choose a better password.

If you do choose to have a different warning threshold, that threshold should then be used when a users changes their password so that they don't continue to be warned if they choose another password that is in the pwned list (but occurs with a frequency below the sign up threshold).

[eae]

Ohai @michaelbanfield the gem hasn't been updated with this change, is that intentional?

[damonmorgan]

Yes, it would be good to see this released as I’m still using my branch. I did it so it would be fully backwards compatible so it should be safe to release.