+some other form of authentication, such as [[httpauth]] or [[openid]].
+
+When the `account_creation_password` configuration option is enabled with
+a password, this plugin prompts for the password when creating an
+account as a simplistic anti-spam measure.
+(Some wikis edited by a particular group use an account creation password
+as an "ask an existing member to get an account" system.)
+
+## password storage
+
+Users' passwords are stored in the `.ikiwiki/userdb` file, which needs to
+be kept safe to prevent exposure of passwords. If the
+[[!cpan Authen::Passphrase]] perl module is installed, only hashes of the
+passwords will be stored. This is strongly recommended.
+
+The `password_cost` configuration option can be used to make the stored
+password hashes be more difficult to brute force, at the expense of also
+taking more time to check a password when a user logs into the wiki. The
+default value is 8, max value is (currently) 31, and each step *doubles*
+the time required.
+
+So if you're worried about your password files leaking and being cracked,
+you can increase the `password_cost` and make that harder. But a better
+choice might be to not deal with user passwords at all, and instead use
+[[openid]]!