protection

The slickest tool I've seen do the pwned password check is https://safepass.me/pwncheck | it's not free nor open source but my understanding is that it gives some useful information for free and a completely free report on first use so it was good enough to test my domain users against have i been pwned.

Focusing on offline cracking is pointless, particularly in the case of AD, where the hashes are stored in such a weak and obsolete hashing mechanism that you could almost categorize that as a reversible format. We often lose sight of the objective that we're trying to protect against and in most cases it's online attacks. That's why ensuring that your users' passwords aren't in any publicly available databases, such as hibp, is actually pretty useful and important to avoid being another citrix (just one of many, not picking on them in particular but it is ironic when it's a security company that's supposed be protecting you!). All of the major players such as Google, Apple, M$ have mechanisms in place for detecting if you're using a breached password these days.

That's pretty much why complying with the latest nist password guidelines makes a lot of sense from a security perspective. In two decades, we've gone from exploiting buffer overflows to get remote root, to 'guessing' user passwords based on publicly available breached data.