well 1000 bitcoins are a lot of money.
Perhaps accounts should have daily transaction limits where the user can reduce online at any time but it requires admin intervention to raise.
Moreover we need 2 levels of password:
1) An account password, sent via password-authenticated key agreement and not https
2) A Time-synchronized one-time passwords or a 2d key, to authorize movements, so that even if the password is stolen, it is impossible to authorize another transaction.
I assume you're talking about a TAN? This is a good idea.
no use of cookies at all.
Not really a big fan of this, It means the URL requires a session identifier to be included or then entire site runs through POSTS?
All passwords should be stored using one way encryption with a unique salt per user (salt to be a minimum 128bits) iterative hashing
Fixed that for you.
thx