Even though that may be correct in theory, isn't there one-way encryption involved for these passwords? (you know, the kind which can't be retrieved by anyone, only reset). But even if that is not the case, regular strong encryption ought to be enough.
There can't be, because the password must be recovered to submit to the remote authentication system.
Paul Russell suggests on the MIMEDefang list that the ratware could simply pop up a password dialog. Many users will just enter their credentials, not understanding why they got a random authentication request.
