Correct terminology when describing password security to layman

"We believe the secrecy of your passwords is very important, which is why we have implemented measures that strongly protect them while stored on our servers. Once you submit your password we convert it using a cryptographic function (salted PBKDF2-SHA256 with 64,000 iterations for the tech savvy), so even if attackers are able to breach our site they won't immediately learn your password.

This method of storing passwords makes it significantly harder for your password to be cracked by the bad guys. Choosing a unique and good password/passphrase choice paired with this technology can help prevent unauthorized access to your account. Even our employees won't know your original password."

Similar to Adam's suggestion, just expanded to cover more of your concerns.


The technical components are hard to communicate about. Understanding the answer beyond "We're doing the right thing" requires a lot of knowledge. So why not say both, something like:

"We protect your password with very strong technology. (For the geeks, it's currently 64K iterations of SHA2/PBKDF2)"


Is it correct to say "The passwords which we store cannot be decrypted"? I worry that it implies that the passwords can never be cracked, which simply isn't true.

It is somewhat correct, though the very presence of "decrypted" in that sentence may lead people to jump to the wrong conclusion.

It may be better explained by saying that the passwords undergo a "one-way cryptographic hashing process", which cannot be reversed to find the original password, even by the system administrator.

If the only way to get the password is brute-force cracking, then I think it's fair to say the "process cannot be reversed". If you do want to address brute-force cracking, you could go on to mention that "the only way for an attacker to obtain the original password would be to guess it correctly, which may take longer than a human lifetime" assuming the password is chosen securely.

Other options I have considered are "The method used to store passwords cannot be reversed"

Yes, I think it's fair to claim that.

"In the case of a breach, your password should not be retrievable"

This is not as concise in my opinion. Firstly, "should not" is vague, and it may actually be retrievable through brute-force cracking, which isn't sufficiently addressed in this phrase.

There's a subtle distinction in my mind between "reversing the algorithm" - which brute-force cannot do, and "retrieving the password" - which brute force can assuming enough time.

but I find saying they can't be decrypted to be more understandable and to the point,

Yes definitely.

As for the explanation of text:

We are using Secure Password Storage v2.0 which is an implementation of PBKDF2. We are using the hash algorithm SHA256, 64000 iterations, and 24 bytes for our random salt.

It is good to include this for the benefit of those who understand the technical details, assuming that one of the previously discussed more layperson explanations is also included.