Anything that looks like a password, OTP, or recovery code is dropped before storage and never reaches a model.