Well, you dont need pwd to piggyback into a user's account. Since the userID/pwd validation is theirs, they can bypass the validation if they want based on some prefix or suffix in the userID field.