About PassFail.wtf

A community-driven platform that grades websites and services on their password and authentication policies. We grade companies. We educate users. We pressure change.

The Origin Story

💀

The Condé Nast Incident

Thomas had a digital subscription to Wired magazine. He registered an account using LastPass, which generated a perfectly reasonable 24–25 character password. Pasted it in, created the account, moved on.

About a week later, he went to sign back in. Password rejected. After troubleshooting, he discovered what had happened: the registration form had silently truncated his password. No warning, no error, no indication whatsoever.

But here's the part that elevates this from “bad” to “unbelievable”: the login form did NOT truncate. It accepted the full-length password and tried to match it against the truncated version stored during registration. So the system actively locked out users who used strong passwords.

The irony: Condé Nast publishes Wired — a magazine that regularly covers cybersecurity and digital privacy.

This isn't just a funny anecdote. It represents a class of problems: companies that silently undermine the security choices of responsible users, password policies that punish people for using password managers, and a complete lack of accountability. There's nowhere to check how a company handles passwords before you trust them with yours.

PassFail.wtf exists because Thomas got locked out of his Wired subscription by a 2003-era password form — and realized there was nowhere to warn the next person.

Mission

🎓

Grade companies

Systematically evaluate password and auth policies against modern standards.

📣

Educate users

Help people understand what good and bad password policies look like.

⚡

Pressure change

Public accountability creates incentives for companies to improve.

Grading Methodology

Every site is scored across 10 categories for a maximum of 110 base points. Grades are community-submitted and require evidence (screenshots with URL bar visible).

Password Length Policy25 pts

Character & Composition Rules15 pts

Multi-Factor Authentication20 pts

Anti-Pattern Penalties15 pts

Password Manager Compatibility10 pts

Breach Response & Credential Hygiene10 pts

Transparency & Communication5 pts

Username & Account Identity Policies5 pts

Default & Initial Password Practices5 pts

Email Privacy & Disposable Domains−3 penalty

Total110 pts

Grade Scale

A+

95–100%

105–110

90–94%

99–104

80–89%

88–98

70–79%

77–87

60–69%

66–76

0–59%

0–65

Formula: (total_score / 110) × 100 = percentage → letter grade

NIST Standards We Follow

Our rubric is grounded in NIST Special Publication 800-63B — the definitive U.S. government guidance on digital identity authentication. Key principles:

✓Minimum 8 characters; recommend up to 64 characters
✓Do NOT impose complexity requirements (no forced uppercase/numbers/symbols)
✓Do NOT force periodic password rotation
✓Check passwords against known-breach lists
✓Allow all printable ASCII and Unicode characters including spaces
✓Do NOT use password hints or knowledge-based authentication
✓Offer multi-factor authentication

Many of these recommendations were published in 2017. Companies that still violate them in 2026 have had almost a decade to catch up.

Evidence Requirements

All submissions must include:

→Screenshots with URL bar visible
→Date tested
→Tester notes explaining observations
→Grades are valid for 6 months, then marked "needs re-verification"

How to Contribute

PassFail is community-powered. Here's how you can help:

📝

Ready to grade a site?

Know a site with a terrible password policy? Submit it. Earn karma. Hold companies accountable.

Submit a site Read the full methodology