I’m willing to bet someone `JSON.stringify`’d the entire user object without realizing the password hash is in there.
The broader conversation I think here is facilitating a shift to passwordless. Magic links, OAuth, Yubikeys all make passwords redundant.
If I put in a password I still need MFA and I can reset my password with just MFA, so why do I need the password at all? Let’s just switch to MFA-only signon.
Slack kinda led the charge to magic links and passwordless so it’s strange to see they’re still stuck on this. Many enterprise orgs have moved SSO setups to enforce solely passwordless already.
I’m willing to bet someone `JSON.stringify`’d the entire user object without realizing the password hash is in there.
The broader conversation I think here is facilitating a shift to passwordless. Magic links, OAuth, Yubikeys all make passwords redundant.
If I put in a password I still need MFA and I can reset my password with just MFA, so why do I need the password at all? Let’s just switch to MFA-only signon.
Slack kinda led the charge to magic links and passwordless so it’s strange to see they’re still stuck on this. Many enterprise orgs have moved SSO setups to enforce solely passwordless already.