Except you’re not

https://haveibeenpwned.com/API/v3#PwnedPasswords

Your computer is basically sending a part of your password (the first five characters of a hash) and if the server responds positively to a match it sends all the other possible combinations and your computer looks to see if it matches the rest based on when you typed.

For more information

https://en.wikipedia.org/wiki/K-anonymity

It’s always good to be cautious, but it’s especially important to know how tech works, especially good tech, when it can have immense benefit

That is the correct way of thinking, never trust anything with your passwords.

I was curious on what haveibeenpwned does, so I took a look at what the network tab in dev tools said what was actually sent. When I type a password (say password123) and press check it runs a function that hashes with the “SHA-1” hash function and then sends the first 5 characters of the result. The response is over a thousand lines in the format of 35 hash characters:number of breaches

If any of these hashes are the start of your original hash, you now know it’s exposed and how many times it’s been exposed.

While I get your concern. I, and loads of other nerds, trust them.

I wouldn’t recommend providing any current passwords, but it could be used to determine any recent/previous compromises.