i know 1password used haveibeenpwned.
according the website "When you search Pwned Passwords
The Pwned Passwords feature searches previous data breaches for the presence of a user-provided password. The password is hashed client-side with the SHA-1 algorithm then only the first 5 characters of the hash are sent to HIBP per the Cloudflare k-anonymity implementation. HIBP never receives the original password nor enough information to discover what the original password was."
But if it only compares the first 5 characters, isnt there a great deal of collision, so just because it says my password was listed, does not mean it was pawned
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
@pathfinder76 probability of a collision on the first 5 hex characters of a SHA-1 hash is 16^-5 or ~1 in 1 million. If haveibeenpwned says there's a collision, best to assume yes, you have been pwned.
It's equally safe. In no case the password is transmitted. I guess more foolproof is the indirect use via watchtower, because it's checking your whole password store and not just one password, and since you don't copy+paste passwords into some input field, it cannot happen you accidentally paste it to where it doesn't belong.