So, I'll jump right in and bring this interesting chunk of information I came across today whilst working on Project Rain:

"Account keys are still used, but are not generally visible to users. Account keys are used by the core client to identify and authenticate itself to the server. An account's key never changes (so core clients don't need to learn when email address or password has changed)."

Source: https://boinc.berkeley.edu/new_setup.php

Let's process that chunk of information quickly:

• Account keys are used by the BOINC client to identify and authenticate itself with the BOINC project server after you have added the project to your BOINC client.
• This 'Account key' never changes, even if you change your email and password. Meaning that if your account key is stolen, your BOINC account for that project is permanently compromised.
• This key is continuously being transmitted plain-text over the public Internet when you run a non-SSL project in your BOINC client. Your account key is much more likely to be intercepted than your login credentials via username/password on the project website as it is more frequently used.
• With this account key, you can log into the affected BOINC project through the 'get_passwd.php' page (milkyway@home example get_passwd.php page) and view all personal information, view private messages and change email/password.

I was thinking, this account key is also known as an 'authenticator' which is randomly generated upon account creation - an additional security feature would be providing BOINC users the ability to apply for a new authenticator code through the project website. I'll look into this for project rain.