@Gargron Bypass their database altogether: When someone signs up, before hashing the password simply go the email/username/password combination on all the sites haveibeenpwned covers. It's the perfect plan, and there is no way it could possibly go wrong.