I haven’t come across any real discussions about this, so I thought I would ask: Do you think it’s a good idea to disclose your password encryption policies in your privacy policy or terms of service agreement? In other words, would you tell your users - and the world - you don’t store their passwords in plain text, and disclose the exact method you use to store passwords?<p>For example, a privacy policy might read like this;<p>“Under no circumstances will we store your password as plain text. All passwords are encrypted with the Bcrypt hashing function and individual random password salts. If your password is 123456, your password would be stored in our database in a form similar to; salt:f11ba67d8a hash:$2a$08$jRAovt7x1lgHjMGsZstzUukaE4Nga6jxfneZXPSMc6/Uhlx.rY4ri
Therefore, our website - nor anyone else - will know your your password.”<p>Question #1: Do you think publicly disclosing password hashing is a good policy?<p>Question #2: Would disclosing password hashing policies disincentivise hackers from attempting to hack your password database?<p>PS: This is not a question about which password hashing scheme or use of salts is best.