- Explain that passwords get stolen all the time, and when it happens the companies are REALLY embarrassed and open to lawsuits if the passwords are in clear text.
- Explain that hashing is really easy to do today.
- Now for the analogy:
The best analogy of a one-way hash function to non-techies is just to just use a number look-up analogy - forget the complex cryptography. When a user originally gives you password, you assign a unique number to the password using a black box, and you store the number as the user's password instead of the original password.
When the user gives you a password again later for authentication, you pass the given password into the black box and get back a number. Now you can compare that number with the number you previously saved - if the two numbers match, the passwords are the same, if the two numbers do not match, the passwords are no the same.
Every unique password passed into the box gets it's own unique number, and each time the same password is passed into the black box the same number comes out.
The way the black box does the number look-up is very well known, and any problems with the black box are dealt with by the industry - any vulnerabilities are dealt with by the industry - YOUR company is not responsible if there is a problem with the black box.
Finally, if the number is stolen from the company database, the well-understood black box does not work in reverse - you cannot take a stolen number and get back the password (assuming that the original password was strong).