How securely do they store user passwords & how good are they at letting us know?
This started as a personal collection of various sites disclosing their password storage algorithms. I thought it might be useful to make the collection public, so I did. This site should encourage sites to publicly disclose how they store user passwords, and to rework it if they don't do it in a secure way. Besides, why not?
Publicly disclose how do you store user passwords. If they are hashed and how, or if they are stored in a readable way. You can disclose in your on-line docs, a blog post, a tweet, or a Facebook post, just wherever you feel it's best for you. The disclosure will then be rated according to the Rating guide and the grade will be published here. Don't forget to let me know e.g. by email or a tweet to @spazef0rze.
No, they are either stored securely, or not. If you use one of the slow hashes, your users' passwords are most probably stored securely. And if you do it any other way and don't want to tell us because it's bad (and you should feel bad!) then just redo your password storage and then tell us.
No, it's not. While plaintextoffenders.com lists sites that email you your password after you've forgotten it or after signing in, my goal is to document how sites store user passwords and how good they are at letting them know. I want to highlight companies doing great job too, not just the crappy ones. But I love Plain Text Offenders nonetheless. And I mean the site.