Since the target audience is mostly non-hackers, I'd make these points instead:<p>- For people not using a library or framework, use one!<p>- For people who build libraries and frameworks, consider bcrypt!<p>- For people who aren't cryptography deities, don't roll your own. Even Bruce Schneier needs heavy peer review.<p>And a nit - SHA-1 is showing its age and is being phased out; SHA-2 is much stronger and is widely available.