Good point. I'll implement that as well. Yes, they are hashed. Thanks. I have no problem being cautious, or sensitive to privacy. In a place where we want people to speak freely, it doesn't hurt. I'll follow up.While we're talking about security: you really ought to require that people re-enter their existing password when changing their password.
Finally: I assume that you're hashing the password on the database side, and not just storing them plaintext.
You're doing great work, mk: please don't think I'm nickpicking! Security's important, and it's worth getting right.
Or better yet, use bcrypt, PBKDF2, or scrypt. Salted hashes slow a cracker down by a day or two, but an actual work factor turns that into years or decades. I'm not too sure what has been implemented (well) in arc, so that may or may not be the deciding factor on the matter, but any of the three is better than a simple salt.