As used here, the term "preventative" means an approach or strategy that seeks to prevent email addresses from becoming public and term "remedial" means an approach or strategy that seeks to limit damage if email addresses become public
To reduce risk from data breaches one option is to send less personal data to websites rather than more (preventative)
One old strategy is to not "sign up" for websites unless absolutely necessary (preventative), e.g., to complete a commercial transaction. On the early www, sites publishing public information generally did not ask for email addresses
Another old strategy is to use account-specific addresses and account-specific passwords that identify the account, the date and the computer used, i.e., some user-contructed identifier only known to the computer user (remedial)
Alas today's website operators, including ones offering nothing more than public information, attempt to convince visitors to "sign up" and submit email addresses, even when it is not necessary to access the public information
The website operators benefit from this data collection
As such, data collectors may not recommend that users stop signing up for websites and sending email addresses (preventative). It would reduce their benefit. Instead, they encourage it
HIBP is one such data collector. It requests email addresses in order to search public information
HIBP focuses on behavioural trends with respect to passwords (remedial) instead of behavioural trends in sharing personal data with website operators (preventative)
The operator even admits having an interest in password managers
"My interest in 1Password aside"
Data breaches share private information with the public, making it, detrimentally,^1 public information. This is how it becomes accessible to HIBP
An obvious mitigation strategy is to limit the amount of private information collected (preventative), thereby limiting the amount that could ever be shared with the public in a data breach. This is "preventative"
HIBP is "remedial", i.e., it assumes private information has become public. Without data breaches to collect and search, HIBP would not exist
The two approaches, preventative and remedial, are not mutually exclusive
Both can be used at the same time (preventative plus remedial)
HIBP appears to ignore the preventative approach of modifying behaviour to not submit email addresses to websites. Perhaps because HIBP itself engages in data collection. It solicits email addresses
Unfortunately, one cannot use an account-specific address with HIBP. It solicits addresses that have potentially been used for other accounts
1. Arguably breaches are not detrimental for HIBP since it profits from their existence. If there were a reduction in data breaches, could HIBP continue to successfully solicit more email addresses. If there were behavioural changes the resulted in www users creating fewer accounts and sharing fewer email addresses, would demand for password managers suuch as 1Password be reduced
To reduce risk from data breaches one option is to send less personal data to websites rather than more (preventative)
One old strategy is to not "sign up" for websites unless absolutely necessary (preventative), e.g., to complete a commercial transaction. On the early www, sites publishing public information generally did not ask for email addresses
Another old strategy is to use account-specific addresses and account-specific passwords that identify the account, the date and the computer used, i.e., some user-contructed identifier only known to the computer user (remedial)
Alas today's website operators, including ones offering nothing more than public information, attempt to convince visitors to "sign up" and submit email addresses, even when it is not necessary to access the public information
The website operators benefit from this data collection
As such, data collectors may not recommend that users stop signing up for websites and sending email addresses (preventative). It would reduce their benefit. Instead, they encourage it
HIBP is one such data collector. It requests email addresses in order to search public information
HIBP focuses on behavioural trends with respect to passwords (remedial) instead of behavioural trends in sharing personal data with website operators (preventative)
The operator even admits having an interest in password managers
"My interest in 1Password aside"
Data breaches share private information with the public, making it, detrimentally,^1 public information. This is how it becomes accessible to HIBP
An obvious mitigation strategy is to limit the amount of private information collected (preventative), thereby limiting the amount that could ever be shared with the public in a data breach. This is "preventative"
HIBP is "remedial", i.e., it assumes private information has become public. Without data breaches to collect and search, HIBP would not exist
The two approaches, preventative and remedial, are not mutually exclusive
Both can be used at the same time (preventative plus remedial)
HIBP appears to ignore the preventative approach of modifying behaviour to not submit email addresses to websites. Perhaps because HIBP itself engages in data collection. It solicits email addresses
Unfortunately, one cannot use an account-specific address with HIBP. It solicits addresses that have potentially been used for other accounts
1. Arguably breaches are not detrimental for HIBP since it profits from their existence. If there were a reduction in data breaches, could HIBP continue to successfully solicit more email addresses. If there were behavioural changes the resulted in www users creating fewer accounts and sharing fewer email addresses, would demand for password managers suuch as 1Password be reduced