Hi, just catching up on this very nice thread. I'm +1 on using the login for the docid instead of triggering a view lookup, for the reasons Chris outlined. Regarding resistance to brute force attacks, bcrypt storage is definitely better than salted sha-anything, and Colin Percival's scrypt[1] is definitely better than bcrypt. I'm not aware of javascript implementations of either of them, though.
I'm curious to see where we end up on the whole 401 Unauthorized browser popup thing. At Cloudant we still respond with a 401 if a basic auth request failed, but we send a 403 if a /_session request failed or a cookie expired, and for exactly this reason. Anyway, nice work Chris! Best, Adam [1]: http://www.tarsnap.com/scrypt.html
