Comment by charcircuit
9 hours ago
>Most breaches already contain hashed passwords
It could show the hash instead.
>No, it's not ok that these passwords are already out there
So it's better that people have to pay for it instead of getting this information for free?
>Because it's important to say "I don't store passwords in HIBP"
This is a personal choice.
>I'm not your personal lookup service
The idea is that this would be done by the site itself and would not require manual work by the owner.
Hashes can be cracked, and end users won't understand how to create password hashes to check which one was leaked. Plus, salts exist.
Passwords shouldn't matter anyways. Use a password manager and be done with it. The real issue is metadata which can't easily be changed - phone numbers, addresses, and the like. If any of that data is leaked, it becomes much harder to contain impact. You can't move addresses every time your address gets leaked online.