Login is the value the button is sending which is what I was after, but it occurs to me that when I was playing with PHP I'd stuff the credentials in $_SESSION so that they were never on the workstation, and looking at the page source I can see where they are stuffing a session user-key (hidden input at the bottom of the form named "token").
If that's what they're doing this approach wont work.
Many times there is an alert or other piece of information that is placed on a public website that isn't obtainable unless you read the page - this allows you to scan the page for that information. If you look at a big enough website (say a CNN) it is possible to bog down the hub a wee bit. Another way of doing it is to fire off multiple searches before the first one finishes. That being said, I fired off 4-5 against CNN without waiting on a C7, and while it took a while to finish, and the UI was sluggish during the test, they all finished and the hub recovered.