Suppose a web site implements logging in via SQRL. Steve said when he explained SQRL that the server holds no secrets that can be stolen. Now suppose that a person has an existing account with that web site. I have two questions: 1) Even though that site may not have any login/password secrets that can be stolen, it seems to me that everything else about the account is vulnerable to being stolen, like credit cards, purchase history, phone numbers, social security number (if stored), and all that. Is that true? It doesn't seem to me that SQRL login will change that. 2) How does one associate an SQRL login with an existing account at that web site? What information within the SQRL login will let the web site know how to associate my existing account with that login? I'm not sure the SQRL documentation addresses this, but I may have missed it.