So I should check my passwords against some remote API I have no idea who controls to see if they've been compromised? Does this API always return true?
It sends the first 5 characters of the SHA-1 hash to the API, which seems reasonable. To be safe, you could check after rotating all your passwords, or I suppose you could download the raw data yourself to check directly.
And the API is controlled by Troy Hunt, not some rando.
Troy Hunt and people who work at Cloudflare. But yeah it depends on your threat model. If it's just a random website password than it's probably fine to check. If you're trying to keep secrets from the state then maybe not.
Regardless of your threat model, you can read the code and see how it works. It's short and easy to understand. It doesn't send anything more than the first 5 characters of the SHA1 hash.
Sure but that leaks some information about your password. SHA-1 hashes are significantly quicker to compute than a password hash (and rainbow tables exist making it even faster). So the first five characters can be used to narrow the search space.
This is however not likely a real problem unless your threat model includes targeted attacks.
And the API is controlled by Troy Hunt, not some rando.