I mean, yeah. You can get your packet injected zero day memory scraped poison MitM spoof whatever, I guess. But, really, if you’re trying to break into a computer system? Your best bet is to find the user with the shittest password.

Gotta be honest: when the guys at work do pen tests, I don’t think there’s a single company they haven’t manage to get user credentials for, just by asking. Security isn’t about preventing users from giving up their passwords in places they shouldn’t–it’s not difficult to craft a phishing email/website combo that looks near-identical to an internal corporate email–but about what controls you put in place assuming that someone has a user’s password.

This is true for individuals, too: If someone got your Tumblr password, or your Gmail password, or your Facebook password (which they probably do, or could do), what damage could they do with it?