www.facebook.com, twitter.com password storage disclosures | Pulse

Facebook, Inc.

www.facebook.com ↗

Rating B

scrypt (disclosed December 2014)

Params: N=16384, p=1, r=8

Full algorithm: HMAC-SHA-256(scrypt(HMAC-SHA-256(HMAC-SHA-1(MD5(password)))))

Disclosures:

2014-12-09 talk ^arch (around 2:10)

A slow hashing function is used but such info is "invisible", hidden in a blog post or a talk, or on social media.

Recommended change: Publish storage and hashing info details visibly (e.g. in the docs or FAQ), then let me know.

Twitter, Inc.

twitter.com ↗

Rating A

bcrypt (disclosed May 2018)

Disclosures:

2009-06-28 docs ^arch
2016-06-09 Twitter (private account) ^arch
2016-06-10 blog ^arch
2018-05-03 blog ^arch

Plaintext (disclosed May 2018)

Note: Due to a bug, passwords were written to an internal log before completing the bcrypt hashing, resulting in passwords being stored in plaintext in the log. The bug was fixed in May 2018.

Disclosures:

2018-05-03 blog ^arch

Site uses a slow hashing function, this is disclosed "on-site", in the docs, FAQ, etc.