Querki should rate-limit login attempts

Summary: At the moment, we're not doing anything to track login attempts. That's a security hole: a determined attacker could spew lots of login guesses, to try and crack someone's password. If a user has a weak password, this makes it too easy for someone to crack it.

Fixing this isn't trivial, but it shouldn't be too hard. Roughly speaking, we should probably have another ClusterSharding cloud, with an Actor per user, responsible for managing login attempts. Any time someone logs in, it hits this cloud, and that does the actual password decryption. (Which gets that DB access away from the front end, which is good anyway.) If the login is successful, the Actor immediately passivates itself; otherwise, it increments a counter. After some reasonable number of attempts (somewhere in the range from 5-10), it locks out further attempts, and sets a timer for, say, 10-15 minutes. At the end of the timer, it passivates itself, so the process can begin again.

Note that the sharding needs to be per-user, not per-IP, because an attacker with a zombie horde could easily use a variety of machines to go after the same login. That said, it might also be useful to track IPs, and lock out an IP more aggressively if it makes multiple failed logins against multiple user accounts. Think about this carefully, though: given the reality of modern networks, the same IP address might have many real users behind it.

Assuming we do this, it needs UI support. The user must receive a clear message indicating why they are locked out, and should probably receive a warning 1-3 tries before getting locked out.