- hash the password, with salt (currently it's plain text which is a no go!)
- make the login mechanism more robust:
  - http://www.devarticles.com/c/a/JavaScript/Building-a-CHAP-Login-System-Encrypting-Data-in-the-Client/2/
  - have a CHAP per default (working also over HTTP)
  - If there is no Javascript, allow the "plain over HTTPS" fallback
- check timeout when verifying the registration code of a user
- database model for a simple CMS
  - http://www.techrepublic.com/article/two-ways-to-design-a-database-for-a-net-based-cms/
- try to use the template mechanism for email in plain text and HTML,
  the renderer should be callable outside the HTTP response mechanism
- start up only if tables are instanciated and fit the schema epoch
  in the code (see bacula)