I have some low buy offers in; I'm curious how they'll deal with those. Sounds like we will have a 'go back in time' moment.

Here's how password security on bitoption works:

1) We take your password via an SSL-only POST request.  (This used to be a GET request before we turned on the anti-CSRF functionality. POST is marginally more secure; some logs will log the entire URL, so there was a chance of leakage that way, but it would only be at the endpoints of the request.) As it is, this is now encrypted end to end.

2) We have a sitewide secret salt that is used in all hashes

3) We have a per-account 'nonce' that is used to salt the password.

4) We store only the sha-256 hash of the password,secret,and nonce.

As far as I know, the combination of 3 and 4 is industry best practices for one factor authentication; it means that a rainbow attack is computationally difficult, in that each rainbow table is only effective for one account.

Happy to take further suggestions.