Rating guide #
A Site uses a slow hashing function, this is disclosed "on-site", in the docs, FAQ, etc.
B A slow hashing function is used but such info is "invisible", hidden in a blog post or a talk, or on social media.
C Passwords hashed with an unsuitable function but at least they are salted and stretched with multiple iterations.
D Inappropriate function used to hash passwords but passwords are salted, at least.
E Unsalted passwords hashed with one iteration of unsuitable function.
F Passwords stored in plaintext, in their original, readable form, or passwords encrypted instead of hashed.
Invisible disclosures #
- Facebook (independent account)
- Facebook (official account)
- Facebook (private account)
- independent site
- source code
- Twitter (independent account)
- Twitter (official account)
- Twitter (private account)
Official account is a company or site account, with official information.
Private account is run by someone who is, or was, working for a company or a site, not official information.
Independent account is an account run by someone not affiliated with a company or a site in any way.