Well, it doesn't really work that way (author of the cited paper here)
This paper - which I just uploaded to arXiv instead of any peer-reviewed conference or journal - is just a side effect of a larger-scale effort that centered mostly around compliance to NIST's latest (June 2017) guidelines regarding password handling. A more expansive paper with more relevant statistics (% of compromised password use, length, gender, etc) is currently under consideration and review for an international conference presentation (so I'm not sure this comment section is the best area to expound on it.) The cited paper in this article, compared to that paper current under review, is really more of a curiosity. In fact, the paper itself mentions that - as this article itself quotes at the end.
Aside from that, we (my team) do a lot of other things in cryptography, security, disaster recovery and databases. The cited paper here is pretty much one of the blander results/output we have. That it got covered here is a surprise to me. I had no idea there are journalists who scour arXiv (a pre-print sharing site), and certainly no idea Tom would find it worth writing up.
What this article doesn't share, though, is that the methodology section in the paper also shares a useful thing: a simple way to implement the NIST guidelines of checking against compromised passwords. Not only does it point potential readers to Troy Hunt's password trove, it also lays out the process and potential implementation that can be used to adhere to the new NIST password guidelines.