This started as a personal collection of various sites disclosing their password storage algorithms. I thought it might be useful to make the collection public, so I did. This site should encourage sites to publicly disclose how they store user passwords, and to rework it if they don't do it in a secure way. Besides, why not?

How's the rating calculated?

See the Rating guide.

How to get listed?

Publicly disclose how do you store user passwords. If they are hashed and how, or if they are stored in a readable way. You can disclose in your on-line docs, a blog post, a tweet, or a Facebook post, just wherever you feel it's best for you. The disclosure will then be rated according to the Rating guide and the grade will be published here. Don't forget to let me know e.g. by email or a tweet to @spazef0rze.

Would telling you how passwords are stored make them less secure?

No, they are either stored securely, or not. If you use one of the slow hashes, your users' passwords are most probably stored securely. And if you do it any other way and don't want to tell us because it's bad (and you should feel bad!) then just redo your password storage and then tell us.

Any notable examples?

This major Czech company switched from using SHA-1 to bcrypt. Facebook uses something they call The Onion (because it has layers). Twitter uses bcrypt.

Is this a copycat of plaintextoffenders.com?

No, it's not. While plaintextoffenders.com lists sites that email you your password after you've forgotten it or after signing in, my goal is to document how sites store user passwords and how good they are at letting them know. I want to highlight companies doing great job too, not just the crappy ones. But I love Plain Text Offenders nonetheless. And I mean the site.