Colin Atkins

Dear Chris,

Why would one send their users passwords over an relatively insecure HTTPS connection to a third party API? I like increased security but this makes no sense. We don't know who controls the API and if they log the sent passwords.

Am I missing something? Even if its hashed, it doesn't worth the risk.
If the password library was downloaded it would be good. Otherwise not.

Have you thought about that Chris?

Cheers