Coercing credentials out of a user is phishing. I was wrong in that it may not be technically illegal, but are we really going to dispute if phishing is acceptable behaviour for a company to participate in?