Sadly, HIBP is only a partial resource
Let's face it, unless your password is sixteen characters of line noise, there's a chance that somebody else on earth has also thought of "P1nkFl@m!ngo", so it turning up on a list doesn't necessarily mean anything. It'll just be another data point amongst all the other weird permutations.
Likewise, one of my email addresses turns up as having been compromised, thanks to lame-ass webmail "security" (in scare quotes).
What HIBP ought to do is have a method, somehow, of checking a password alongside an email address. Is my current password toast, or is it the one from back in 2014?
Clearly it needs a bit of additional protection here. Perhaps email a key to that address, and that key must be submitted with a password in order to get a yea or nea response.
Biting the hand that feeds IT
