[Spike][User] Refactor password implementation

[virkt25]

From #5 (comment)

While this is good enough for the initial implementation, it is also very brittle. We should find a more robust way how to allow models to hide certain properties from toJSON output.

In the past, I had very good experience with moving the password to a different model (table/collection) and use hasMany relation. As a nice side effect, by keeping a hash of all previous passwords, we can easily implement a password policy like "cannot reuse the same password".

---

I think this needs some discussion as I'm personally not sure if refactoring passwords to it's own table is the best design but agree current design is a bit brittle.

Let's discuss this issue and refine the acceptance criteria.

Acceptance Criteria

• Explore a more secure and robust way to store the password for users
  • As suggested above, we can try store Password in a separate model(table/collection)
  • Feel free to come up with other solutions.

[dhmlau]

Closing due to inactivity. Authentication has changed quite a bit in the past year.