Authentication is vulnerable to brute force attacks

The authentication code throws HTTP 401 but it doesn't stall or block the client. This makes it feasible for a brute force attack since the tracker is well capable of handling more than 15000 requests per minute.
