I am writing a page for our website which describes the measures we take to keep our customer's information secure. On this page one section describes how we keep their passwords secure.
We are using Secure Password Storage v2.0 which is an implementation of PBKDF2. We are using the hash algorithm SHA256, 64000 iterations, and 24 bytes for our random salt. I'm not really sure this matters so much, other than that I just don't want people to come with pitchforks raised thinking we are encrypting the passwords.
Is it correct to say "The passwords which we store cannot be decrypted"? I worry that it implies that the passwords can never be cracked, which simply isn't true. However, I do want to emphasize to our users that our system to store passwords is secure enough that they shouldn't ever have to worry about it (as long as they pick a sufficiently unique password of course), even in the case of the entire password database being stolen.
Other options I have considered are "The method used to store passwords cannot be reversed" or "In the case of a breach, your password should not be retrievable" but I find saying they can't be decrypted to be more understandable and to the point, especially since some people may not even realize that passwords aren't stored in plaintext.