Why?

This started as a personal collection of various sites disclosing their password storage algorithms. I thought it might be useful to make the collection public, so I did. This site should encourage sites to publicly disclose how they store user passwords, and to rework it if they don't do it in a secure way. Besides, why not?

How's the rating calculated?

See the Rating guide.

How to get listed?

Publicly disclose how do you store user passwords. If they are hashed and how, or if they are stored in a readable way. You can disclose in your on-line docs, a blog post, a tweet, or a Facebook post, just wherever you feel it's best for you. The disclosure will then be rated according to the Rating guide and the grade will be published here. Don't forget to let me know e.g. by email or a tweet to @spazef0rze.

Would telling you how passwords are stored make them less secure?

No, they are either stored securely, or not. If you use one of the slow hashes, your users' passwords are most probably stored securely. And if you do it any other way and don't want to tell us because it's bad (and you should feel bad!) then just redo your password storage and then tell us.

Any notable examples?

This major Czech company switched from using SHA-1 to bcrypt, then to Argon2. Facebook uses something they call The Onion (because it has layers). Twitter uses bcrypt.

Is this a copycat of plaintextoffenders.com?

No, it's not. While plaintextoffenders.com lists sites that email you your password after you've forgotten it or after signing in, my goal is to document how sites store user passwords and how good they are at letting them know. I want to highlight companies doing great job too, not just the crappy ones. But I love Plain Text Offenders nonetheless. And I mean the site.

How do you independently discover a plaintext storage?

If you forget your password, and the site emails the original one back to you, then it most probably is storing them in plaintext. It could be storing them encrypted too, but seems it's a less frequent option than a plaintext storage. So I'll go with the worst-case scenario, and rate the site with grade F, which is used for rating plaintext storage, not grade E, used for encrypted password storage. Companies have an urge to correct me when the rating is wrong, so it's also motivational for them in it's own special way.

You can also use my PHP hash "collisions" technique exploiting the fact that in PHP, md5('240610708') == md5('QNKCDZO') (not with ===), modified for detecting a plaintext storage. Some companies were caught red-handed using this trick, like this Czech news site.

Note: when the service emails you your password right after signing up, they could still store the password securely, they have just emailed it to you before storing it. And no, emailing passwords is not right.