Well, it's a stored MD5 hash in a database that checks from a php page with no login timeouts; from a security standpoint anything that can submit a form would be capable of breaking a login after some point.
That brings up a valid notation that I think we should have some sort of brute force detection; perhaps log every 10 requests a user makes under a ~20 second span...