github.com password storage disclosures

GitHub, Inc.

github.com

Rating A

bcrypt (disclosed May 2018)

Details

Disclosures:

2013-11-20 blog ^arch (“passwords are stored properly” links to Wikipedia bcrypt article)
2018-05-03 docs ^arch

History

Plaintext (disclosed May 2018)

Details

Note: GitHub discovered that a bug exposed a small number of users' passwords to their internal logging system, recording plaintext user passwords when users initiated a password reset. The bug was fixed in May 2018, and was introduced shortly before fixing it.

Disclosures:

2018-05-01 independent site ^arch
2018-05-04 Twitter (private account) ^arch

Why "A"?

Site uses a slow hashing function, this is disclosed "on-site", in the docs, FAQ, etc.