[nischalsamji]

HIBP provides a REST API to check if a password has been found in a breach, Is there a disadvantage of using it in applications and restricting users not to use the breached password?

[lancefisher]

It's not ideal to send every new user's password to a 3rd party service.

[Piskvorrr]

Hence the downloadable file, and even a suggestion to use that as an in-house checker. It's in the article.

[edelans]

you can still send the SHA1

[wongarsu]

Without salt, meaning the majority of passwords can be reversed with brute-forcing or rainbow tables.

The second google result for rainbow tables lets me download software and tables to efficiently reverse any sha1 whos plaintext fits [a-zA-Z0-9]{1,9} or [a-z0-9]{1,10}. That's likely the majority of passwords an attacker would observe