h3. Authentication security projects for a later date


* Track 'failed logins this hour' and demand a captcha after say 5 failed logins
  ("RECAPTCHA plugin.":http://agilewebdevelopment.com/plugins/recaptcha)
  "De-proxy-ficate IP address": http://wiki.codemongers.com/NginxHttpRealIpModule

* Make cookie spoofing a little harder: we set the user's cookie to
  (remember_token), but store digest(remember_token, request_IP). A CSRF cookie
  spoofer has to then at least also spoof the user's originating IP
  (see "Secure Programs HOWTO":http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-authentication.html)

* Log HTTP request on authentication / authorization failures
  http://palisade.plynt.com/issues/2004Jul/safe-auth-practices