A few points here. 1) Your memory is actually really good once you train it, it isn't hard at all to memorize (*aDb&<88g ... it's simply not, you just need to use the password about ten times. 2) The real problem is our insistent need to authenticate everything rather than monitor for fraudulent/unwanted activity. The bigger issue is that systems designers treat authentication as the end all of system security. We simply cannot and should not depend on it. Think of it this way, if I get General Anyman's military ID and flash that at the guards outside of Fort Knox, and the guard authenticates me for access, are they going to monitor my activities? Am I loading my backpack with gold? What did I bring into the fort? What have I done? What looks suspicious? Am I simply harvesting page-after-page of data? We need active monitoring and auditing of the actions a user account does in a secure system, authentication shouldn't be trusted to stop undesired actions. 3) Why the **** do I need to join my OpenID or register an account just to say hello and add my two cents? If I'm a spammer, I'll create a google account, join OpenID, post my spooling misteaks seling u bonerpills and be on my merry way. We need to examine that preventing spammers can be done without logins, which could in theory be part of a distributed reputation system, for example it could be "OpenRep." I don't want you to have my damn email just so I can comment, because I really don't trust you either.

| Yes, you can naively argue that every website should encrypt all their traffic all the time, but to me that's a "boil the sea" solution. The sea should be boiled, because guess what, HTTPS is your mystical "more secure identity protocol than ye olde HTTP cookies" | I don't actually care if anyone sees the rest of my public activity on Stack Overflow; it's hardly a secret. Nobody is worried about the publicly accessible information being read. | Encrypting everything just to protect that one lousy cookie header seems like a whole lot of overkill to me. I don't want to be profiled in a database at my ISP or local neighborhood government cyber-spy agency of what websites I goto, what content I've read, or what my general habits are, that's between me and the website. The comment I've posted here, my ISP knows that I've done that. I don't have a problem with "Brian G. -- Content" being on this public website, but I don't want it to be hijacked along the way (from various nodes that carry the packet), nor do I want to get profiled.