If CookieAuth and PasswordAuth are both offered, and cookie fails, fall back to password
The Tor 0.2.2.x deb, from 0.2.2.29-beta on, enables CookieAuthentication by default: https://gitweb.torproject.org/debian/tor.git/blob/debian-0.2.2:/debian/patches/06_add_compile_time_defaults.dpatch
So Vidalia users on Debian/Ubuntu who had set HashedControlPassword in their torrc are bitten by a Vidalia bug: if the controlport's ProtocolInfo line says cookie and hashedpassword are both supported, Vidalia tries cookie, and if it fails it gives up.
If cookie fails but hashedpassword is also offered, Vidalia should try that one next.
Ideally we'd either support this in the Vidalia 0.2.x timeframe, or step up the schedule to ship Vidalia 0.3.x alongside the Tor 0.2.2 debs in whatever debian/ubuntu releases are coming next.
(I wonder how this order-of-operations interacts with the later controlsocket support.)