PassFail.wtf
← All posts
methodologyrubricnist

How We Grade: The PassFail Methodology

A full explanation of our 10-category rubric, the NIST standards we reference, and why we score things the way we do.

PassFail Team·March 31, 2026·8 min read

Why We Needed a Rubric

Grading password policies is subjective — unless you anchor it to an objective standard. Our rubric is grounded in NIST Special Publication 800-63B, the U.S. government's definitive guidance on digital identity authentication. Where NIST is silent, we use community consensus and common sense.

The 10 Categories

1. Password Length Policy (25 pts)

The single most important category. Maximum password length restrictions are the clearest signal that a company doesn't understand (or doesn't care about) password security.

  • Full points: No meaningful max (or max ≥ 64 characters) + min ≥ 12
  • Zero points: Maximum of ≤ 12 characters
  • Silent truncation: −10 penalty (the harshest in the rubric)

NIST 800-63B: "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length."

2. Character & Composition Rules (15 pts)

Forcing composition rules (must have uppercase, must have a number, must have a symbol) is a NIST anti-pattern. It creates predictable passwords while appearing secure.

  • Full points: No mandatory composition rules, all ASCII + Unicode accepted
  • Partial: Allows long passwords but has some restrictions
  • Zero: Blocks special characters, limits character sets

3. Multi-Factor Authentication (20 pts)

MFA availability and quality. TOTP (Google Authenticator, Authy) is better than SMS. Hardware keys are best. No MFA is a failing grade on this category.

4. Anti-Pattern Penalties (15 pts)

Active deductions for dangerous behaviors:

  • Blocking paste in password fields
  • Forcing periodic password rotation
  • Showing passwords in plaintext in emails
  • Enforcing password expiration without breach evidence

5. Password Manager Compatibility (10 pts)

Does the site actively work against password managers? Blocking paste, blocking autofill, breaking the autocomplete attribute — all penalized.

6. Breach Response & Credential Hygiene (10 pts)

Does the company check passwords against breach databases? Do they notify users of credential compromise? Have they had breaches and handled them responsibly?

7–10. Supporting Categories (5 pts each or penalty)

Username policies, default password practices, transparency and documentation, and email privacy round out the rubric.

Evidence Standards

Every grade requires:

  • Screenshots with the URL bar visible
  • A test date (grades expire after 6 months)
  • Tester notes explaining what was observed

We don't accept grades without evidence. This keeps the platform credible.

Why This Matters

NIST published these guidelines in 2017. Companies have had almost a decade to comply. The ones that haven't made a choice — and that choice deserves to be documented.

See the grades → | Submit a site →

Get new research in your inbox

Think a company should be graded? Submit it and earn karma.

Submit a siteMore posts

Stay ahead of policy changes

New audits, policy changes, and security research — no spam.