a theatre is where you have the feeling of security, but you don't really have it in reality.
You cannot claim that just because some users are 'saved' as evidence that this is an effective security measure, because if a password was leaked, and not discovered, then this measure doesn't prevent it. But it is imposing a cost, which cannot be measured against effectiveness.
Change the whole process to 2FA is secure because there's provable guarantees for the costs imposed, and therefore, you can make an objective decision on whether it is worth implementing.
> this measure saves actual people in actual reality
no it doesn't. The claim is that by removing publicly leaked passwords, the user is prevented from having their logins stolen. But you didnt know if that password was going to be used for stealing - it's an assumption. You also dont know if private leaks are already being used, and is undetected.
It's the same type pf claim that the TSA (transport security authority) is saving people from terrorism.
> But you didnt know if that password was going to be used for stealing - it's an assumption
But you do know for a fact that these leaked passwords are used for stealing, so forcing a password change would prevent that, ergo, save some users from having their data stolen. Private leaks have no impact on this
> you do know for a fact that these leaked passwords are used for stealing
no, the passwords are revealed, but it might not be used for stealing. And passwords that are stolen but not revealed publicly will continue.
My point is that the site will force an update, but the user's quota of inconvenience is used up - therefore, a more effective measure such as 2FA will be seen as unnecessary by the user, and thus, lower the user's security.
This is why the solution is to not spend the effort/cost on trying to detect password leaks. It is to make 2FA.
You cannot claim that just because some users are 'saved' as evidence that this is an effective security measure, because if a password was leaked, and not discovered, then this measure doesn't prevent it. But it is imposing a cost, which cannot be measured against effectiveness.
Change the whole process to 2FA is secure because there's provable guarantees for the costs imposed, and therefore, you can make an objective decision on whether it is worth implementing.