move to bcrypt for password hashing and storage. This satisfies @benadida's...

move to bcrypt for password hashing and storage.  This satisfies @benadida's crazy paranoia, so it closes #35.  In other news, the 'forgot password' flow is now complete (this change solves the case where you forget your password for an email and reset it with precisely the same password --- because auth is salted, the registration_status call will delay 'complete' until you actually click through.  tl;dr; - closes #18