Suppose a site doesn't store passwords on its server.
When the user creates a new account, his password is hashed together with his username and stored in a cookie insider his Web browser. When he comes to the site again and types in his username and password, the server hashes them pulls the cookie from the user’s browser and checks if the computed hash is equal to the hash
stored in the cookie. If they match, access is granted.
Can another person log into his account just be knowing the username i.e the victim's computer is offline and inaccessible( cannot be eavesdropped)