> Passwords are protected with an anonymity model, so we never see them (it's processed in the browser itself), but if you're wary, just check old ones you may suspect.
That could mean one might be able to disconnect from the internet while checking.
No, it doesn't mean that, that's ridiculous. How would that work? Magic?
Download all the hashes first - not practical.
It's more practical than you may think. Just needs about 40 GBs right now. I did it a couple years back in a fit of peculiar paranoia, downloaded the full hash list and checked all my KeePass-stored passwords at that time against it.
https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader
The above post https://news.ycombinator.com/item?id=45840724 links to 71.3 KiB of data; since it's a 5-nybble prefix (20 bits) we may easily estimate a size of 71.3 GiB assuming that's a representative sample. Not unfeasible nowadays, but it seems you do have to make separate requests and would presumably be rate-limited on them.
If you only download the hash pages corresponding to passwords you hold, even supposing that everything else is fully compromised, an attacker would have to reverse a couple thousand SHA-1 hashes, dodge hash collisions, and brute-force with the results (yes, yes: arson, murder and jaywalking) to pwn you.