- hash the password, with salt (currently it's plain text which is a no go!)
- check timeout when verifying the registration code of a user