So, the problem here is that many of these tools just look to see if you’re using an address that is known to have been compromised on that site. But I changed my password on that site, so I’m no longer vulnerable to that compromise. But the tool just sees my address and doesn’t know of or acknowledge the fact that I have already remediate that one.<p>As for using an insecure password, I fix those as I come across them, and store the new fixed password in my secure password manager. But just because I happen to have used a password in the past on a given site that is now known to be weak, doesn’t mean that password on that site has actually been compromised — the password is just weak and needs to be replaced.<p>These tools need to get better at detecting the real compromise and the remediation thereof, and not just crying wolf over the fact that my e-mail address on that site may have lead attackers to a password that I once used long ago, but which I haven’t used anywhere else.