On Sat, Oct 30, 2010 at 08:47:59AM -0700, Justin Davis wrote:
If the password is used in more than one place and sniffed out, then not only is the user's AUR account compromised but also other accounts on other websites. It is easier to run a sniffing program that are already setup to search POST form data for the parameter name "password" (or something similar) instead of targeting the AUR specifically and looking for the "AURSID" cookie.
If the password is the same for the user's email account, the hacker just has to look the email up on the AUR and go from there. They can also cross-reference the email to other accounts.
This is one reason to never ever use a password twice.