After the password breach/notification banner, I started to look a bit closer at things. When logging into AF, it is not over SSL (I'm sure the reason for that is money). But more than that, it POSTs the password in plain text. I believe vBulletin allows for sending MD5-hashed credentials instead, it may just need a configuration change.
Granted this is still in plain text over the wire, but you are giving up more info with the unhashed password. Anyone with my password can also get the hash, and possibly can get other passwords/security questions/social-engineer more info about me. Anyone with the hash cannot reasonably get my password, they can only get access to AndroidForums as me.
Granted this is still in plain text over the wire, but you are giving up more info with the unhashed password. Anyone with my password can also get the hash, and possibly can get other passwords/security questions/social-engineer more info about me. Anyone with the hash cannot reasonably get my password, they can only get access to AndroidForums as me.