@hannsr I thought people already know all about that. To be fair, I find it really strange that people don't know that, even TLS and password hashing algos, servers (including intermediate passwords, like reverse proxies such as Cloudflare's) have access to user passwords. Those often don't have access to the passwords in plain text in storage (hopefully, I saw my share of bad password storage and it's horrifying), but most have during authentication. WebAuthn should fix that using cryptographic keys, but is hard to use (AFAIK it require tokens, which can be expensive for some people), the extension of it with Passkeys should make it simpler for people (but it never worked for me, so I can't even test it) and TLS-SRP never gained any popularity. Don't get me started on JS-based SRP...