If I don't have my username and password on my PC, but the place I'm connecting to does, the problem still exists. If someone gets inside, the information is at risk.
One would think that the cloud is run by people who know what they're doing, so accounts are protected, but we know of too many cases where that isn't true.
IIRC, Kerberos tries to minimize this problem by passing tokens around. But the server still has a database of valid passwords from which it constructs tokens.
Defense in depth makes sense, but it's too easy to forget all this stuff...
Cheers,
Scott.