If you are looking for security, I strongly suggest using authentication via the server.

Personally an implimentation of LDAP seems to give the most flexability, and will allow you to do the tests you are interested in. (You really do not care if the passcodes are unique, but you DO care that user names are unique).

By the way, by letting someone know that the password they have requested is not unique across other users, you have created a security hole.

Good luck!
dageek