parse_str also does not work the same as the parser generating $_GET because it doesn't replace control characters: https://bugs.php.net/bug.php?id=76255

Not saying that 2factor / persona auth modules aren't the eventual way forward, but the worst thing to do is to run out and do something like adding modules to your site. Installing modules that have any relation to authentication or security should be postponed until a careful review of the code and its consequences can be completed.

Your password was scrambled, which is why you cannot login.

> UPDATE users SET password='';

That would be an extremely bad idea. Never set pass to empty on Drupal 6 sites.

Drupal.org runs D6 with the phpass module, basically the stuff that went into Drupal 7.