Is there any significant security advantage in using a 3rd party authenticator like auth0 verses the normal baked in GraphCool email/password login?

The big one is if my system (using Auth0 or another 3rd party provider) is compromised, none if the user passwords are compromised. I simply need to invalidate all tokens (through Auth0) and tell Auth0 to change my signing key. The flip side is Auth0 is 100x more the security target than your site. Are they more likely to be compromised than your site? You can make arguments, but I've gone with them. The other big Auth0 win is simplification of OAuth with third party providers. But if you're going to stick with username/password, don't think your site is much of a target, and think security first in your server's design, I'd roll my own

Thanks this is helpful to think through