diff --git a/security.md b/security.md
index 95cfbc8..f583a40 100644
--- a/security.md
+++ b/security.md
@@ -67,15 +67,6 @@ Monitor your endpoint's public certificate expiration date, to detect prevent ce
 
 Remember that SSL encrypts network traffic, but does not supply authentication. SSL is also not a replacement for 2FA.
 
-### Hash your customer's passwords with a proper password hashing function
-
-This might seem to technical and for your developers eyes mostly but you need to be prepared for that data breach and this is low effort - high reward! If your database was breahed and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security).
-
-* Use a well known hashing algorithm to store customers passwords in your database: bcrypt, PBKDF2 or scrypt with a work factor that takes [about 1 second for the password hash](http://security.stackexchange.com/a/3993/69959).
-
-* Do not use MD5, SHA1 or other hashes that are *not specifically designed for passwords*. Passwords stored like this are cracked in seconds usually.
-
-* [Follow the OWASP guidance](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) and demand your developers hash passwords using one of the above.
 
 ### Picking a SaaS vendor
 
@@ -149,6 +140,16 @@ Using git would allow you to add outsource/freelance developers for a limited ti
 
 * There are extra protection products on top of an antivirus called EDR (Cyberreason, BlackCobalt) but these are usually costly.  
 
+### Hash your customer's passwords with a proper password hashing function
+
+
+If you can afford it, use a [third party authentication service](#customer-users-management) to handle password storage, password management, password recovery, two factor auth and more. Some vendors offer Monthly Active Users pricing which can fit your budget.
+
+However, if you decide to develop your own authentication implementation, follow the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) . 
+
+* If your database was breached and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security). Therefore, always use hashing function *specifically designed for password storage* to store customers passwords in your database: bcrypt, PBKDF2 or scrypt with a work factor that takes [about 1 second for the password hash](http://security.stackexchange.com/a/3993/69959). Do not use MD5, SHA1 or other hashes that are *not specifically designed for passwords*. Passwords stored like this are cracked in seconds usually.
+
+
 ### Physical Security
 
 * Configure laptops to sleep after (at most) 5 minutes you are away from your desk, and require a password to re-open it. Ask employees to lock their laptops manually when they leave their desks, for example using [hot corners on macOS](https://support.apple.com/kb/PH18796), or by pressing logo key + L on Windows.
@@ -249,7 +250,7 @@ At this point you should already have automated testing, and (at least semi-) au
 
 There are a number of Identity as a Service vendors that supply login and customer's password management services. If such a vendor is SOC2 Compliant they probably do a better job than you saving the customer's password in your database.
 
-They also provide self service and apis to provision and de-provision users. Although, large customers might want integration with their own Identity management solution.
+They also provide self service and apis to provision and de-provision users, enforce password policies, and recover lost passwords. Although, large customers might want integration with their own Identity management solution.
 
 ### Sensitive Data Leaks