[the8472]

Doesn't help. Some accounts are old and may not be in my current PW DB. Or they were memorized, or forgotten.

If the thing suggests the EMAIL (+ associated password) has been compromised for some unknown account then to do a risk assessment I would have find which account it belongs to, not which currently-in-use passwords match the same datasets.

Those are different queries, providing different bits of information.

[Thorrez]

Here's what I'm suggesting: query all your current passwords against the password API. Then you'll know which of your current password are compromised. Change them.

You don't need to query old passwords, only current passwords. If you're talking about accounts that you've forgotten the password to: then do you care about those accounts? If yes, probably best to do a password reset and set a new password. If you don't care about the account, then why bother?

As for why HIBP doesn't provide an API linking passwords to emails: HIBP has no database that links passwords and emails. So they can't provide any way to query that. They don't want to be in the business of linking passwords to emails.

[ekjhgkejhgk]

Of course it helps.

How's this for making it actionable:

Regardless of whether or not someone can associate it with your email, if your password has been seen in the wild, change it.

There you go.