Rating guide

A Site uses a slow hashing function, this is disclosed "on-site", in the docs, FAQ, etc.
B A slow hashing function is used but such info is "invisible", hidden in a blog post or a talk, or on social media.
C Passwords hashed with an unsuitable function but at least they are salted and stretched with multiple iterations.
D Inappropriate function used to hash passwords but passwords are salted, at least.
E Unsalted passwords hashed with one iteration of unsuitable function, or passwords encrypted instead of hashed.
F Passwords stored in plaintext, in their original, readable form.

Slow hashes

  1. Argon2
  2. bcrypt
  3. PBKDF2
  4. scrypt

"On-site" disclosures

  1. docs
  2. FAQ
  3. sign-up page

Invisible disclosures

  1. blog
  2. changelog
  3. comment
  4. Facebook (independent account)
  5. Facebook (official account)
  6. Facebook (private account)
  7. independent site
  8. source code
  9. talk
  10. Twitter (independent account)
  11. Twitter (official account)
  12. Twitter (private account)


Official account is a company or site account, with official information.

Private account is run by someone who is, or was, working for a company or a site, not official information.

Independent account is an account run by someone not affiliated with a company or a site in any way.