[16s]

There's no real way to 'verify' this. They would have to provide the source code in its entirety and several card-carrying, certified cryptanalysts/cryptographers would have to vet it and then publicly approve of it. That will never happen.

Users have to have some level of trust. Like everything else in life.

[huxley]

If they use a well-maintained standard library which uses a modern cryptographic hashing function, then I think they earn that trust.

There is no real disadvantage to saying which one and a lot of trust to regain.

[moonboots]

Absolute verification is impossible, but this doesn't mean more verification isn't helpful. NetTuts should publicly says what key derivation function they are using. Could they be lying? Maybe. Could they have other security vulnerabilities? Probably. Would I trust NetTuts with my credit card number? No.