On Sat, Oct 30, 2010 at 08:47:59AM -0700, Justin Davis wrote: > If the password is used in more than one place and sniffed out, then > not only is the user's AUR account compromised but also other accounts > on other websites. It is easier to run a sniffing program that are > already setup to search POST form data for the parameter name > "password" (or something similar) instead of targeting the AUR > specifically and looking for the "AURSID" cookie. > > If the password is the same for the user's email account, the hacker > just has to look the email up on the AUR and go from there. They can > also cross-reference the email to other accounts.
This is one reason to never ever use a password twice.
