Originally Posted by
NameCoin
It seems that FlyerTalk does not encrypt the login process either. Although the password hash is sent instead of the actual password, the function used is MD5 and there isn't any salting. This setup seems especially weak these days. I suppose an attacker could sniff the hash out of the open network and attempt some kind of dictionary attack against it, straight-out compromising the FT account and possibly others, if the password has been reused.
NameCoin is exactly right. These days MD5 are extraordinarily vulnerable to dictionary attacks especially since RockYou.com was hacked and 32+ million actual user passwords were made public. This dictionary is the gold standard and has allowed script kiddies to be credible hackers. Agree with others that FlyerTalk logins are a low value target, but salting the passwords is a relatively trivial task which would greatly improve the security.