I looked at bcrypt, which helps with secure password storage. I don't quite understand how it works, but I've seen that it prevents brute-force attacks... there is lots of CPU usage during hashing and verification.

I continued playing with Nickel (started few weeks ago), and am liking it more, largely due discovering a less-magical way of doing things where you'd use functions instead of a macro named middleware. I've also been playing with nickel-jwt-session, which offers such a convenient API to use for working with JSON Web Tokens. I even made two small contributions to the project.