Implementation Notes on BCrypt Authenticator

These are some implementation notes on the BCrypt Authenticator and its relative security.

• The login form accepts the user's password as plain text. This means that you should use SSL to keep the password from being exposed on the network.
• The salt used is a unique one-time value. Each time a password is generated, a new salt is generated and used only with that password.