Pwned Passwords uses tricky crypto to make sure his service never sees your full password. He could use trickier crypto to make sure that it does.

I think that's a bit of a reach.

That's all client/requester side, which has been implemented on third party sites/services. There'd be a lot of questions raised if suddenly it required that you use a different technique.

A more subtle and (IMO) more realistic variant would be to backdoor the javascript to capture all input on that site instead.

But you have to ask yourself - who would be the government target, in that case?

They'd have to:

- Have a technically sophisticated target where the government doesn't know their password, and is unable to otherwise break their security (eg forcing Google/Apple/Microsoft/etc to do the work, cloning devices, regular surveilance) - Have that same target also regularly test their passwords against a password strength meter on the public webpage. - Be willing to risk a public leak that this was happening.

I don't think that anyone who meets the first point would be stupid enough to meet the second. I mean, sure, people make plenty of dumb mistakes - but surely not that one, repeatedly.

It is a reach yes, but that doesn’t change the fact that Troy is in a position of trust; which may not be wise given his citizenship.