The second district court to weigh in on the subject has held that a person who obtains a correct username and password to access a website, even if unauthorized, does not violate the DMCA's anticircumvention prohibition because using a password does not "circumvent" the password control. The case is Egilman v. Keller & Heckman, No. 2004-0876 (D.D.C. Nov. 10, 2005). What's particularly interesting is the extension of the previous case, I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004), which involved a third party who wrongfully disclosed a legitimate username and password. Here, by contrast, there's no evidence that a third party disclosed the information; rather, Egilman's login was easily guessed.
I only wish someone would explain to me how this is different from obtaining the "secret handshake" in StreamBox or the CSS key in the DeCSS case. In those cases too, the code used is in fact the correct, actual key -- otherwise it wouldn't work. (At the very least, I want a better explanation of the difference between "decrypting" and, say, "guessing." What if the password wasn't guessed on the first try? What if it took ten tries? What distinguishes that from a basic computerized password attack? Cf. the great 1980s movie Wargames, in which Matthew Broderick's character substitutes a social-engineering attack, logging in as the computer's creator, for his slower programmed assault on what he thinks is a gaming computer.)
Congratulations to Jeffrey P. Cunard of Debevoise & Plimpton, who helped represent Keller & Heckman.