Your non-devs FAQ is still not quite informative. You still don't explain to laymen /why/ what the sites are doing is wrong, you just say "You should never see your password".
edit:
Maybe something along the lines of:
> Modern cryptography allows websites to save passwords in a form that is un-decryptable even to the site itself. This works because to check the validity of logins, the unencrypted (plain) version of the password is never needed. The fact that a site stores the password in a decryptable format and decrypts it to show it to you means that an attacker could potentially decrypt the password in the exact same way. Or even worse, maybe they never encrypt it in the first place! This potentially compromises the safety of the password you use because it lets an attacker steal your password.
I think this is easier than it sounds. To a layman, when they type in their password, they are not thinking about how it would be implemented. The idea that "oh, somebody is doing a string compare against a password in the database" is not something that would enter their mind. That is baggage that software developers may have, but ordinary people have not been primed in that way.
Ordinary people are going to be thinking about a key in a lock. Does the lock on your house store the key inside? Maybe in some kind of information-theoretic sense but in the ordinary meaning of the word, no, it has a representation (that may not even be sufficiently specific to recover your key exactly). And if you lose your key you don't break into the lock to recover it--you call a locksmith to replace the lock, and get new keys.
That right there is an intuitive understanding of both hashing and good security principles that goes surprisingly far.
Absolutely. I wasn't really clear. I didn't mean it needs an explanation of hashing. I meant there needs to be some short answer to the question of "if they can't pull out my password, how do the check it?"
I don't think people are thinking about keys and locks. Passwords are a thing that existed before computers and that people understand perfectly outside of an IT context. Spies in films use secret phrases to prove they're the contact, kids use passwords to gain access to the clubhouse. But in all these non IT contexts the person checking the authentication knows the shared secret, so it's obvious how they check it.
If my mental model is "I've arranged a secret password with this website that proves I'm really me", then my first question when told the website doesn't know what secret password is "well how does it know that the password is correct?".
The best I've been able to come up with today is a somewhat lengthy metaphone with color mixing.
[Edit]
Having said that, I just went and talked to my technical literate non programmer wife and she used the key and door analogy.
I like this description. I don't know that you need to explain hashing to laymen, though. Hand-waving is acceptable when communicating to people who aren't skeptics (laymen). If they're really interested in fact-checking you, they can do so on their own time, or you can provide links to detailed explanations.
"It is possible to store passwords in a way that the website cannot see your password, but can still verify that a password entered by you checks out." (trust us, after all you're trusting that we know what we're talking about by reading this stuff)
I prefer makmanalp's explanation to the wording you are using right now. It emphasizes that hashing is an one-way operation and "encryption" or "scrambling" are more familiar and less abstract than "representation". I know its not an accurate usage of the terms but this is the layman FAQ and we could always add a link to a more in-depth explanation using the correct terminology (hashing, salts & key strength).
edit:
Maybe something along the lines of:
> Modern cryptography allows websites to save passwords in a form that is un-decryptable even to the site itself. This works because to check the validity of logins, the unencrypted (plain) version of the password is never needed. The fact that a site stores the password in a decryptable format and decrypts it to show it to you means that an attacker could potentially decrypt the password in the exact same way. Or even worse, maybe they never encrypt it in the first place! This potentially compromises the safety of the password you use because it lets an attacker steal your password.