Ah, I meant plaintext passwords are never persisted in a db anywhere. The only time passwords are decrypted are when they are used to programmatically log in, so they're never stored anywhere except in memory.
Out of interest what’s the architecture you have gone with for key rotation and storage, and where the encrypted passwords are stored. (Understand that as an very early stage startup you probably haven’t optimised all this yet)
I know some other services that have had to go this route have used quite elaborate systems to ensure separation between keys, passwords and user details in the event of a hack.
I know some other services that have had to go this route have used quite elaborate systems to ensure separation between keys, passwords and user details in the event of a hack.