Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?

Your question contains several false assumption:

  • If you're a security conscious user, you'd change your passwords regularly on any website that matters

According to my password manager I have more than hundreds of accounts and most of them would do harm to me if compromised. Changing all of them regularly (like every 90 days) is a huge amount of work. So I use strong passwords generated by the password manager instead. But some services still save passwords in clear text.

  • and thus leaks would not affect you in the first place.

Let's say I would change every password every 90 days. There is still the possibility that there are 89 days where my account is compromised and the attacker has time to do anything including changing my password. When you know your account is in the list, you can act instantly.

See previous point.

  • So why are people so interested in using haveibeenpwned?

To know which accounts are affected and to figure out which service got hacked/where the accounts came from.

With this knowledge:

  • I can change the password instantly.
  • I know which service is less trustworthy for sensitive data, money, ... and I might close my activity at this service.
  • If this service has a messaging system I know to be more alert of messages from "friends" because the account might be stolen.
  • I know which of my data might be compromised (data at the hacked service).

Changing passwords often is not considered a best practice anymore.

People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.


Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.

The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.

HIBP gives that notification of compromise.