Is there anyway to hide the salt and hash from the _users database and still allows user to login? It seems too easy for an attacker to download the database and run dictionary attacks (Especially with passwords some of my users choose). I'm aware that I could protect the _users database, but then I will need to have some server side code that uses an appropriate account to authenticate and set the cookie for the user. Which is not a huge deal of work but I'm trying to keep everything within the CouchApp model (while still being able to Relax).
Thanks!
