Grading Methodology

Every site is scored across 10 categories for a maximum of 110 base points. Our rubric is grounded in NIST Special Publication 800-63B — the U.S. government's definitive guidance on digital identity authentication.

Grade Scale

Formula: (total_score / 110) × 100 = percentage → letter grade

A+

95–100%

105–110

90–94%

99–104

80–89%

88–98

70–79%

77–87

60–69%

66–76

0–59%

0–65

The 10 Categories

Password Length Policy

25 pts

Maximum password length is the single clearest signal of whether a company understands password security. Short maximums force weak passwords and break password managers.

NIST Reference: NIST 800-63B: "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length."

Minimum length ≥ 12+8

Minimum length 8–11+4

Maximum ≥ 128 or no max+12

Maximum 64–127+10

Maximum 32–63+5

Maximum < 20−5

Supports spaces in passwords+5

Character & Composition Rules

15 pts

Forced composition rules (must include uppercase, number, symbol) create predictable passwords while appearing secure. Restricting character sets reduces entropy.

NIST Reference: NIST 800-63B: "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types)."

Accepts any Unicode characters+8

Accepts all printable ASCII+5

Whitelist-only character set−3

No forced composition rules+7

Accepts emoji in passwords+2

Multi-Factor Authentication

20 pts

MFA is the most effective protection against credential theft. TOTP and hardware keys are significantly more secure than SMS-only options.

NIST Reference: NIST 800-63B recommends MFA for any system at AAL2 or above. Hardware-bound authenticators provide the strongest assurance.

TOTP supported (Google Authenticator, Authy, etc.)+8

Hardware security keys (FIDO2/WebAuthn)+7

True passwordless passkeys+5

Passkeys as second factor (after password)+2

Redundant passkey implementation−2

SMS-only MFA (no TOTP/hardware key)+3

MFA option buried or hard to find−2

MFA enforced by default+3

No MFA available0 (entire category)

Anti-Pattern Penalties

15 pts

This category starts at full points and deducts for dangerous behaviors. A site with no anti-patterns keeps all 15 points.

NIST Reference: NIST 800-63B explicitly deprecates forced rotation, knowledge-based authentication, and composition rules. These practices actively harm security.

Blocks paste in password fields−5

Forces periodic password rotation−4

Uses security questions−3

Sends passwords in plaintext email−8

Includes password in forgot-password email−8

Aggressive account lockout (< 5 attempts)−2

No rate limiting on login−3

Silently truncates passwords−10

Password field not masked by default−5

Password Manager Compatibility

10 pts

Sites that break password managers force users toward weaker passwords. Paste blocking, broken autocomplete, and non-standard form fields are hostile to security.

NIST Reference: NIST 800-63B: "Verifiers SHOULD permit the use of ‘paste’ functionality." Password managers are the most effective tool for credential hygiene.

Works well with password managers+5

Uses standard form field names+3

Paste works in password fields+2

Breaks browser autofill−3

Breach Response & Credential Hygiene

10 pts

Companies should check new passwords against known breach lists, notify users of compromises, and act on breach intelligence.

NIST Reference: NIST 800-63B: "Verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised."

Checks passwords against breach databases+5

Notifies users of credential compromise+3

Forces password change after breach+2

Allows known-compromised passwords−3

Transparency & Communication

5 pts

Users deserve to know the rules before they create a password, not after they fail validation. Undocumented or contradictory requirements waste time and erode trust.

Requirements shown before/during password creation+3

Dedicated password policy page+2

Contradictory requirements−2

Username & Account Identity Policies

5 pts

Email-based login with alias support is the most flexible and secure approach. Rejecting valid TLDs or treating email addresses as case-sensitive causes unnecessary friction.

Email-based login+3

Custom username login+2

Accepts plus-aliases (user+tag@)+2

Rejects plus-aliases−2

Rejects valid TLDs−2

Case-sensitive email handling−2

Forced username composition rules−2

Restrictive username length−1

Default & Initial Password Practices

5 pts

How a service handles initial credentials matters. Self-registration is ideal. Shared or formulaic default passwords (e.g., "Welcome123!") are a common breach vector.

Self-registration (user chooses password)+5

Random unique default + forced change+4

Random unique default, no forced change+2

Formulaic default + forced change+1

Formulaic default, no forced change−3

Same default for all + forced change−2

Same default for all, no forced change−5

Email Privacy & Disposable Domains

penalty only

Blocking privacy-focused email services (SimpleLogin, AnonAddy, Proton Mail aliases) penalizes security-conscious users. This is a penalty-only category.

Blocks privacy email aliases/relays−3

No restrictions on email providers0

Evidence Requirements

All submissions must include:

→Screenshots with URL bar visible
→Date tested
→Tester notes explaining observations
→Grades are valid for 6 months, then marked "needs re-verification"

Ready to grade a site?

Walk through our guided rubric and submit evidence-backed grades.

Submit a site About PassFail.wtf