[colonelxc]

Why not a javascript library instead of a service?

This allows clients to self-host the javascript (so it can't be modified to log the plain text password somewhere), and probably can plug into existing form validation with little hassle.

I guess the question is why should I trust your service more than using Troy Hunt's API directly. If you're sending hashed credentials anyways, all the verification of NIST recommendations needs to be done client side anyways.

[estroz]

There is no reason to trust this service over Troy Hunt's API. In fact I would use his API if I could guarantee that I wouldn't hit the rate limit too easily, as I'd rather not come across as a spammer. I would reach out to him if I did end up using his API. A library seems to be a good (and more secure) alternative to a service, and is a path I will consider if I decide to start this project.

On your comment about sending hashed creds: credentials would have to be sent to some server hosting the database, as the database would be quite large (for example, there are ~500 million password hashes in Troy Hunt's V2 release). That is the only networked component of the proposed service. Everything else would indeed be done client-side (with the current feature set).