for _any_ failed authentication, because that's what causes the
browser to give you a repeat password prompt. If we ever return 403,
the browser will _remember_ your wrong password, and give you 403
again the next time without letting you have a chance to
reauthenticate.