This is still an alpha document - no more than an idea that started with a question from a sibling. I am not sure where it will go.
- Have I Been Pwned (HIBP) - list curated by Troy Hunt.
- Cloudbleed vulnerability list - Check the domains of any entries that appear in the Cloudbleed vulnerability list. This has potential to produce false positives due to the way this list was produced.
- Have I Been Pwned (HIBP) - Check usernames against the Have I Been Pwned? list curated by Troy Hunt. If you will be automating this check, this service requires you to register for an API key via https://haveibeenpwned.com/API/Key , and an API key costs $3.50 US per month (Credit card required).
- Have I Been Pwned (HIBP) - Another way to use a small portion of each password hash in HIBP and then check the full hash locally against the list of hashes returned by HIBP. This is not ideal. I would appreciate advice on a better path.
Andrew Schofield has a KeePass plug-in to automate this process https://github.com/andrew-schofield/keepass2-haveibeenpwned