Excerpts from Justin Davis's message of 2010-10-30 17:47:59 +0200:
On Sat, Oct 30, 2010 at 4:42 AM, Philipp Überbacher <hollunder@lavabit.com> wrote:
Often enough, and AUR is an example, it's sufficient to be logged in to change the current password. Knowing the session ID is thus almost equivalent to knowing the password.
If the password is used in more than one place and sniffed out, then not only is the user's AUR account compromised but also other accounts on other websites. It is easier to run a sniffing program that are already setup to search POST form data for the parameter name "password" (or something similar) instead of targeting the AUR specifically and looking for the "AURSID" cookie.
If the password is the same for the user's email account, the hacker just has to look the email up on the AUR and go from there. They can also cross-reference the email to other accounts.
Thus 'almost equivalent'. The one difference in any case is that he has to set a new password in the session ID case, which I guess isn't a lot of work. The other, possible, difference I thought of was exactly what you mentioned. It's funny that even on this technical list the term hacker is used :)