About petrucio's password hash hack... It is not so bad because it only shows the encrypted pwd and can only access cookies related to Perlmonks. With current JS security, I believe that unless you send email messages, you can only talk to the server the page came from.
If I can display your cookie to you, I can send it to me. If I can get your cookie, I can login as you.
I'm not sure what is allowed nowadays in scripts on home nodes, and I didn't go check the script in question (I'm pretty sure Petruchio is *not* sending it anywhere anyways) but the above should be true unless someone actually took a lot of time parsing and allowing certain js commands and not others. :)
You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.