this blog entry has been updated
It's a sad fact of life on the internet that no web server is perfectly invulnerable to attack by malicious agents. Despite the best efforts of server administrators and website developers to make web sites secure, people continue to discover and exploit vulnerabilities to break into online systems and execute harmful programs or obtain private data.
While it may be tempting to assume that some online private data sets - say, your online banking credentials - are more important than others - say, your RTH user account - the problem is that people tend to use the same password on both low- and high-security websites.
If you do this, your online security is only as safe as the least secure website you use, since malicious agents can obtain usernames and passwords from sites with weak security and use those credentials to log into sites with strong security.
One way website developers can mitigate the risk of attack is to encrypt user passwords before storing them in a database. That way, even if user data is compromised, the attacker will end up with a set of obfuscated passwords.
The problem is that the MD4 hashing algorithm is designed to be fast. As a result, a malicious hacker with a reasonably powerful computer can use a brute-force or dictionary attack to defeat the encryption.
Instead of a fast hashing algorithm, which makes it easy for attackers to use brute force, security experts recommend using a more computationally expensive (read: slow) algorithm, i.e. bcrypt.
Effective immediately, RTH now uses bcrypt to store user passwords, via Damien Miller's py-bcrypt implementation.
Update: I tweaked the session management functionality so that pages load more quickly.