An update was released for my game so I decided to download it from fileshack. Only problem was that it required you to login to download any file. As I didn't want to fill their user database with another account that would be used only once bugmenot.com offered the solution.
Looking at their cookies I won't have any troubles logging in till Dec 2007 - there's a cookie containing the username and a cookie containing your password - unencrypted! I wouldn't be surprised if it was the same for the paid accounts.
Why store the login credentials at all client side? A hash would have been enough..
Another WTF: when you go to download your file you're put in a queue. The url ends with paid=0. set it to 1 and you're thanked for your support to the site but you still have to wait. So it would seems they still store whether you're a paying member server side. Then why not use it to generate the page too instead of a GET var? It also helps you view your queue status.