Or perhaps he is just doing what everybody _really_ does, which is to use the same username and password for every random site on the net and hope like hell they are not storing passwords in plantext.

A hope, which has been dashed time and time again by bitter reality. It seems the only people lazier about password security than the actual end users, is the site owners ...