move to bcrypt for password hashing and storage.  This satisfies @benadida's crazy paranoia, so it closes #35.  In other news, the 'forgot password' flow is now complete (this change solves the case where you forget your password for an email and reset it with precisely the same password --- because auth is salted, the registration_status call will delay 'complete' until you actually click through.  tl;dr; - closes #18

move to encrypted cookies for persistent auth with the IP, fix several usability bugs related to the abscense of this