Reply to Message

So set the system to inform the user when they last logged in. If the user sees their last login wasn't when they last logged in they know their password is compromised and can change it immediately and to something totally different, rather than being blissfully unaware until the system forces them to change it resulting in them changing MyPasswordToComplyWithSillyRule101 to MyPasswordToComplyWithSillyRule102 which the person who cracked their password will probably try first of all when they realise ...101 doesn't work any more.