Since the target audience is mostly non-hackers, I'd make these points instead:
- For people not using a library or framework, use one!
- For people who build libraries and frameworks, consider bcrypt!
- For people who aren't cryptography deities, don't roll your own. Even Bruce Schneier needs heavy peer review.
And a nit - SHA-1 is showing its age and is being phased out; SHA-2 is much stronger and is widely available.
No mention of bcrypt. http://codahale.com/how-to-safely-store-a-password/
Since the target audience is mostly non-hackers, I'd make these points instead:
- For people not using a library or framework, use one!
- For people who build libraries and frameworks, consider bcrypt!
- For people who aren't cryptography deities, don't roll your own. Even Bruce Schneier needs heavy peer review.
And a nit - SHA-1 is showing its age and is being phased out; SHA-2 is much stronger and is widely available.