Not to detract from your efforts, but you can actually check your passwords with HIBP without sending the plaintext password. You can send the first 5 characters of the SHA-1 hash, and it will send back the rest of hashes that match for you to compare against. See https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByR...