If you think a password has been compromised then change it.
HIBP offers you a way to validate a password has been compromised, HIBP does not offer you a way to determine it has not been compromised or is otherwise suitable for use. It’s a service for excluding compromised passwords from use.
> It’s a service for excluding compromised passwords from use.
How does this work?
2 cases:
1. I know password P is compromised. I check it in HIBP. If compromised, great, but I already know that. If not, well, too bad. I still can't use it because I know it's compromised. - decision doesn't depend on the result of HIBP.
2. I don't know if P is compromised. I check it in HIBP. If compromised, I don't use P. If not, I don't use P because I already put P in a text box connected to the internet. - decision doesn't depend on the result of HIBP.
Don't get me wrong, I'm well aware of the value of HIBP. I'm just arguing about this particular use case.
HIBP offers you a way to validate a password has been compromised, HIBP does not offer you a way to determine it has not been compromised or is otherwise suitable for use. It’s a service for excluding compromised passwords from use.