-A downside to this module is that it does not use a session to
-preserve state so get_pass_by_user has to happen on every request (any
-authenticated area has to verify authentication each time). A plus is
-that you don't need to use a session if you don't want to. It is up
-to the interested reader to add caching to the get_pass_by_user
+A theoretical downside to this module is that it does not use a
+session to preserve state so get_pass_by_user has to happen on every
+request (any authenticated area has to verify authentication each
+time). In theory you should be checking the password everytime a user
+makes a request to make sure the password is still valid. A definite
+plus is that you don't need to use a session if you don't want to. It
+is up to the interested reader to add caching to the get_pass_by_user