When might it *not* be a good idea to reset your password immediately?
Let's suppose I'm an Evil Hacker™ and I just breached a website, stole all their bcrypt passwords, and defaced their site for the lulz. But since it's bcrypt I can't crack anything.
I feel like what I'd do in this situation (as an Evil Hacker™) is to plant a backdoor in the reset-password form so that as soon as a user puts in an "old password", their password gets compromised without me having to bruteforce bcrypt.
Am I overthinking this? Might there be times where rushing to the "reset password" form after a breach be a bad practice? If I (as a user) have a long, random password (but not necessarily a unique one), and I find out the passwords are stored securely, can I just continue to use the same password after a breach?
This question is inspired by Should I reset my password on Internet Archive?.
