If you use the same password on AW as elsewhere, and your password is stolen elsewhere, how is AW supposed to prevent/reassure you?

But allowing a password to equal your id is simply unacceptable - for both the user and the vendor.