Does a password found on "Have I Been Pwned?" actually indicate *it* was breached?
I may be misunderstanding this, but I was under the impression that if a set of access credentials are listed on Troy's site, it generally indicates that the credentials were collected from a compromised web server or similar. I.e. the presence on the list alone can't be taken as an indication that the credentials themselves were necessarily weak, just that in many cases they were inadequately protected by a site that was hacked.