If the intent is to check on every page load, then the onRequestStart() method of your Application.cfc file seems as good a place as any. You would need some conditional logic so that the check doesn't start taking place until after the person has logged in, but that's rather simple.
Also, you can use a session variable to indicate if the person has a password. You don't have to query the db each time.