Use Have I Been Pwned API to check for Pwned passwords

IMO, there should be an option to toggle and disable this, some people(including me) may not want to transmit password to that site.

I am always for options/toggles, however to clear up your misunderstanding: The HaveIBeenPwned password check does not work by transmitting the password to their site! (See the linked API documentation) Only the first 5 characters of the hashed password are transmitted and HIBP then returns all the suffix-hashes for known leaked passwords, along with a number indicating how often they've been found in public leaks, allowing you to locally compare those against the full hash of your password. (The method is called k-anonymity and described futher here: https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ ) Neither your password, nor the full SHA-1 hash ever leave your system.

Example: "Password"

SHA-1 hash: 8be3c943b1609fffbfc51aad666d0a04adf83c9d
API URL: https://api.pwnedpasswords.com/range/8be3c

Returns among others this suffix:

943B1609FFFBFC51AAD666D0A04ADF83C9D:130999

So "Password" has been found in leaks 130999 times, and is not a good password to use.

Example: "tun834v9y8n347mv834yv34"

SHA-1 hash: d896bd51f8362d72e90f00617f16bbbd571e4aa0
API URL: https://api.pwnedpasswords.com/range/d896b

Checking for the suffix "d51f8362d72e90f00617f16bbbd571e4aa0" in the returned hashes returns no results, so "tun834v9y8n347mv834yv34" was not found in any leaks (yet). (Would have been a good password... now it no longer is, of course.)

Well, this was not some 'misunderstanding', it is more like a new feature(V2 API) was rolled out and people are unaware of this, this was a new addition over V1, from the author's own blog:

'Edit 2: The API model described below has subsequently been discontinued in favour of the k-anonymity model launched with V2.'

https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/

I specifically linked to the V2 API in the original suggestion.