[TameAntelope]

It's terrifying to store credentials. I'll take 4 hours of downtime once in a blue moon over lost nights of sleep over potential security breaches.

I just can't even imagine why you would these days, there are even "local" options that act as "local 3rd party auth providers".

[steve_taylor]

It’s only terrifying if you believe Auth0’s FUD.

[rozenmd]

100% - for OnlineOrNot (https://onlineornot.com) I only use passwordless auth (enter your email, get a magic link emailed) and Google via OAuth for this reason.

Screw losing sleep over whether you're storing credentials correctly.

[1cvmask]

What happens when the emails fail (like spam folder)? I remeber a thread here on HN on a number of projects where they dumped email link sending as a login method for various reasons and complications. Have you face any challenges as well? If not what's your secret sauce? A better email provider? Would love to know.

[rozenmd]

Email Provider is a big one - particularly following best practices like DKIM.

Use a large managed service like Postmark or Mailgun. Use AWS SES/roll your own at your own peril.

Worst case, the user doesn't get the email, and uses OAuth (majority of my target audience - agencies - use GSuite).

[jjeaff]

Use a properly maintained library to salt and hash your passwords and the credentials will be the absolute least of your worries if your database is breached.