I would very much appreciate a primer on where my understanding of cookie security is wrong. Is it that the cookie is only appearing encrypted on my machine while it is not, or that you know the server salt, or that you used an improved cracklib (mind you the pwd string is not that good), or that you got a cleartext cookie?

Actually, it is none of this. I am sure the password is encrypted and I do not know now what it is/was. I know nothing about the server, much less any salt and have no access to such information. I did not use any tools besides a browser. And the only thing I got was the string you provided me with.

What you missed about cookie security is simply this: if you browser needs certain information to remember you and keep you logged in, then my browser can use the same information to log me in as you.

This is why user supplied javascript is insecure on a site like this, because I can get that information about you and send it to me. Javascript is generally not insecure in this way, and even though I rarely use them, I do not disapprove of js as such - used right, it is fine. What we have here is the unlucky combination of user supplied javascript that is not filtered and a login that doesn't time you out or take other measures to ensure that you are you. So generally, such as warning as Petruchio's is also uncalled for, it is only valid for this site and other sites that allow this. Keep js on for any other place if you want. :)

I do not wish to change the login and cookie thingy - it is fine if we just remove the scripts. And it is safe in other ways, meaning that it is as hard or harder to simply guess your cookie without information as it is guessing your password in the first place.

---

You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.