They actually say:
"Slash's security is weak. It is so bad that one would think it was created by Microsoft"
So assuming a user actually changes his or her password, Slash 2.0 actually does a decent job of obfuscating it in a cookie with MD5 encryption. In terms of account lock out, the Slash distribution also includes a script to aid in IP address banning for suspicious brute-force behavior.
Chatham Township Data Corporation [ctdata.com]