Is there anyway to hide the salt and hash from the _users database and still
allows user to login?
It seems too easy for an attacker to download the database and run
dictionary attacks (Especially with passwords some of my users choose).
I'm aware that I could protect the _users database, but then I will need to
have some server side code that uses an appropriate account to authenticate
and set the cookie for the user.
Which is not a huge deal of work but I'm trying to keep everything within
the CouchApp model (while still being able to Relax).