How securely do they store user passwords & how good are they at letting us know?
@PasswordStorage • Rating guide
Params: N=16384, p=1, r=8
N=16384
p=1
r=8
Full algorithm: HMAC-SHA-256(scrypt(HMAC-SHA-256(HMAC-SHA-1(MD5(password)))))
HMAC-SHA-256(scrypt(HMAC-SHA-256(HMAC-SHA-1(MD5(password)))))
Disclosures:
A slow hashing function is used but such info is "invisible", hidden in a blog post or a talk, or on social media.
Recommended change: Publish storage and hashing info details visibly (e.g. in the docs or FAQ), then let me know.
Note: Due to a bug, passwords were written to an internal log before completing the bcrypt hashing, resulting in passwords being stored in plaintext in the log. The bug was fixed in May 2018.
Site uses a slow hashing function, this is disclosed "on-site", in the docs, FAQ, etc.