If a user enters in an incorrect password too many times (this should be configurable in config/auth.js) they should be locked out from logging in for a configurable amount of time.

This will involve creating a new table to keep track of authentication attempts and whether or not they were successful and from which IP addresses.