Thanks for reporting that. Auth bypass should be fixed when STR merges my pull request.
From my PR:
"CRITICAL FIX for auth bypass. All users are recommended to update.
When user(before entering password) executes /register, plugin doesn't check if the player
is already registered. Although the password hash isn't changed due
to a safety in Passwords:AddHash, the main function still sets
IsAuthed[Player:GetUniqueID()] = true"
(From what i can see in the github logs, this issue was there for over a year.)
From my PR:
"CRITICAL FIX for auth bypass. All users are recommended to update.
When user(before entering password) executes /register, plugin doesn't check if the player
is already registered. Although the password hash isn't changed due
to a safety in Passwords:AddHash, the main function still sets
IsAuthed[Player:GetUniqueID()] = true"
(From what i can see in the github logs, this issue was there for over a year.)