I've heard from several people now that they don't need a secure password for their local bitcoind, as "it's only listening on localhost" or as "the local network is secured by a firewall". Just a friendly reminder that neither of those protects you. If you have a bitcoind running on localhost and you use a weak password, it's trivial for an attacker to steal your bitcoins.

For example, a potential attack that uses the user's webbrowser might look like the following:

• Create an tag that loads a URL with a username:password given in the img tag. This gets you get around the HTTP basic authentication of the bitcoind.
• Use Flash to send a HTTP request to the bitcoind that transfers the coins to another address. Same-origin policies don't protect you here, as Flash applies those policies to the response instead of the request. So the Flash applet can't read bitcoind's reply, but can still send the request.
• Repeat in a loop with a large number of potential passwords.