What do you mean "Forget passwords, they have cookies..."? Since when is having a cookie better than having the password that can give you the cookie anyway?
Some web sites will require you to login again if your IP address changes, no matter what cookies you have. Additionally, the cookie expires. For these websites, the password is much better.
shadowflit made a good point about two-factor authentication. I would also add that by having cookies (and hence a presumed established session with you bank, email provider, or social network) you bypass one of the steps to get what you presumably want: access. I mean to point out that there is no reason to run this script if you already have physical access to a computer with the target's account logged on. You already have the extra access you need.