updateCredential doesn't update the old one, it creates a new one. The only reason this works is because the password handler query for the most current credential. (Same as TOTP).

This will be a storage leak over time as passwords are reset and tokens added/created.