[eneveu]

> Hopefully you don't transmit the password and are doing challenge/response so that you don't even have it when the user logs in.

Wasn't challenge/response / SRP authentication debunked ?

https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

https://news.ycombinator.com/item?id=2859470