diff --git a/tests.py b/tests.py
index 9203f15..edbb72e 100644
--- a/tests.py
+++ b/tests.py
@@ -1,7 +1,9 @@
 import time
 import unittest
+import uuid
 from unittest import TestCase
 
+from cryptography.fernet import Fernet
 from werkzeug.exceptions import BadRequest
 
 # noinspection PyPep8Naming
@@ -12,11 +14,6 @@ __author__ = 'davedash'
 
 class SnapPassTestCase(TestCase):
 
-    def test_set_password(self):
-        """Ensure we return a 32-bit key."""
-        key = snappass.set_password("foo", 30)
-        self.assertEqual(32, len(key))
-
     def test_get_password(self):
         password = "melatonin overdose 1337!$"
         key = snappass.set_password(password, 30)
@@ -24,6 +21,42 @@ class SnapPassTestCase(TestCase):
         # Assert that we can't look this up a second time.
         self.assertEqual(None, snappass.get_password(key))
 
+    def test_password_is_not_stored_in_plaintext(self):
+        password = "trustno1"
+        token = snappass.set_password(password, 30)
+        redis_key = token.split(snappass.TOKEN_SEPARATOR)[0]
+        stored_password_text = snappass.redis_client.get(redis_key).decode('utf-8')
+        self.assertFalse(password in stored_password_text)
+
+    def test_returned_token_format(self):
+        password = "trustsome1"
+        token = snappass.set_password(password, 30)
+        token_fragments = token.split(snappass.TOKEN_SEPARATOR)
+        self.assertEqual(2, len(token_fragments))
+        redis_key, encryption_key = token_fragments
+        self.assertEqual(32, len(redis_key))
+        try:
+            Fernet(encryption_key.encode('utf-8'))
+        except ValueError:
+            self.fail('the encryption key is not valid')
+
+    def test_encryption_key_is_returned(self):
+        password = "trustany1"
+        token = snappass.set_password(password, 30)
+        token_fragments = token.split(snappass.TOKEN_SEPARATOR)
+        redis_key, encryption_key = token_fragments
+        stored_password = snappass.redis_client.get(redis_key)
+        fernet = Fernet(encryption_key.encode('utf-8'))
+        decrypted_password = fernet.decrypt(stored_password).decode('utf-8')
+        self.assertEqual(password, decrypted_password)
+
+    def test_unencrypted_passwords_still_work(self):
+        unencrypted_password = "trustevery1"
+        storage_key = uuid.uuid4().hex
+        snappass.redis_client.setex(storage_key, 30, unencrypted_password)
+        retrieved_password = snappass.get_password(storage_key)
+        self.assertEqual(unencrypted_password, retrieved_password)
+
     def test_password_is_decoded(self):
         password = "correct horse battery staple"
         key = snappass.set_password(password, 30)