A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.
You're either not reading the "how this protects your password" link that's on top of the page or claiming it's wrong. [1]
It sends the first N characters of the SHA1 hash of the password you provided to the server, the server replies with all the hashes it knows with that prefix, and then the client-side JS compares it to the rest of the hash it has.
If you don't believe me, you can look at the request said site issues for some arbitrary string - it's just the first 5 characters of the SHA1 hash, and the response from the server is as I (and that link) describe.
So you are trusting the HTML/CSS and javscript downloaded from troyhunt.com with your plaintext password? Not to mention various bits from cloudflare.com, and other places.
Well it does, if you have javascript off, from the source (page says "If you submit a password in the form below, it will not be anonymised first")
Troy seems to have a fine reputation, but I don't want to trust the crown jewels (my passwords to everything) on Troy's reputation, the security of his site, cloudflare, and random javascript bits hosted in various places.
So sure the design and explanation of the page is that passwords are not uploaded. But since I can't practically verify that myself, I wouldn't upload passwords there. What's worse is even if I could audit every line of code, I couldn't guarantee other people wouldn't get a malicious version of the site.
So generally saying "Sure, type your password into a form on this webpage, I found an explanation that says it's not uploading it." is a very bad idea.
There's similarly plausible pages for things like generating SSL certs (not just CSRs), ssh keys, generating passwords for you, and similar that often have reassuring explanations that their security is just fine.
So generally never put your private key or plaintext password where a random 3rd party might read it. The promise that some anonymization process will be applied should not be enough to get you to risk it.
I claimed your initial unqualified statement, that it uploaded your password, was inaccurate, with both an explanation of what it was doing and the claim that I had not seen any evidence of it doing anything else.
I did not claim the site was not vulnerable to MITM or other injection attacks.
I did not claim you should trust this or any other resource with your password or any other data.
How about if you go to another device which you have not used before (maybe a library or internet cafe), do not identify yourself to the web in any way, open a sole link to that page and enter the passwords you wish to check. They are checked, but there is nothing to link them to you?
Of course, if we don't completely trust Troy Hunt and everybody associated with the site then we could assume that now those passwords have been added to a secret list of known unknowns, to use when trying to crack the hashed files they already have stored.
Security sure is difficult! I know it says at the top of the article that it is pitched at non-technical people but most of the people I know would have glazed over in the first few paragraphs..
Please don't make false assertions about what I was suggesting without any evidence.
Pwned Passwords consists of a number of tools, which one you choose to use depends on the concerns you have and the effort you choose to put in. Both the API and the SHA download files provide secure means of checking if your password is present in this data dump.
I would certainly not put any live passwords into the webform.
But it also pulls untrusted code/CSS from various sites over HTTP. It's far from unclear who controls that code.
For instance this wall of code: http://az416426.vo.msecnd.net/scripts/a/ai.0.js
A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.