Add note about false positives on password check

Since the check to see if a password has been present in a data breach
is using a Bloom filter, there's a small chance of false positives (I
believe it's 0.1% currently). This is confusing when it happens, so this
just clarifies that it's possible but they'll have to pick a new
password anyway.

tildes/scss/modules/_sidebar.scss

@@ -4,7 +4,6 @@
 #sidebar {
   p {
     margin-bottom: 0.4rem;
-    line-height: 1rem;
   }
 
   .btn {

tildes/tildes/schemas/user.py

@@ -90,7 +90,7 @@ class UserSchema(Schema):
             return
 
         if is_breached_password(value):
-            raise ValidationError("That password exists in a data breach")
+            raise ValidationError("That password exists in a data breach (see sidebar)")
 
     @pre_load
     def prepare_email_address(self, data: dict) -> dict:

tildes/tildes/templates/includes/password_restrictions.jinja2

@@ -6,6 +6,9 @@
     <ul>
       <li>At least 8 characters long.</li>
       <li>Does not contain the username, and is not contained in the username.</li>
-      <li>Has not been previously exposed in a data breach (checked locally against a list downloaded from <a href="https://haveibeenpwned.com/Passwords" target="_blank">Troy Hunt's "Have I been pwned?"</a>).</li>
+      <li>
+        <p>Has not been previously exposed in a data breach (checked locally against a list downloaded from <a href="https://haveibeenpwned.com/Passwords" target="_blank">Troy Hunt's "Have I been pwned?"</a>).</p>
+        <p class="text-small ml-2">Note: this check uses a <a href="https://en.wikipedia.org/wiki/Bloom_filter" target="_blank">Bloom filter</a>, so false positives are possible (but very rare). Even if it is a false positive, you must choose a different password.</p>
+      </li>
     </ul>
   </dd>