If you're asking for an account name and password form someone, you're effectively committing to playing security hardball. Also, you're asking the users to trust you, and perhaps the level of trust that you're askign for is more than you really need.
Stackoverflow is an interesting case where they thought about issues of identity and authentication, and decided to go with OpenId. Their rationale would be something along the lines of "we want to map comments to an identity, but we don't need/care about authentication, we can let someone else do that".
Unfortunately, OpenId kind of sucks, but that's a different story.
An interesting example is HackerNews where they keep a cookie around so I don't need to log in everytime. This is enormously much less secure (anyone else on the same machine can impersonate me just by going to the HN website). But the security implications of someone impersonating me are low (shoot, given my contrarian nature and history of Iconiclasm and Heresy someone else trying to 'destroy' my online rep would probably actually improve it instead :D )
Now Facebook does the same thing, but in Facebook's case this is enormously bad, evil and wrong (tm) since the data they control access to is much more sensitive and private.
Speaking of different stories, here's another one to illustrate when you want to be able to uniquely identify someone, but going with a full on username/password system is overkill and more hassle than it is worth.
Was talking to some guys who want to take registrations/expressions of interest for an upcoming Science Fiction convention. The convention is a couple of years out, so presumably some proportion of the people will need to change their address details between now and then. But if they do a name/password thing, people will forget the passwords (and choose badly even if they do remember it), it imposes a security and trust burden upon them to maintain the database securely.
Basically, they need to identify the people to a reasonable degree of security, but names/passwords is overkill.
So I decided that what they needed was a shared secret instead. If the person gives their email address when they sign up (and sign ups range from OMG take my money now to "eh, send me a reminder when we get to three months out"), then when that person wants to change their name/address details, they just send them an email with a link. The link contains the shared secret built in (e.g. a token). The shared secret will eventually expire, but for a while they can get in and edit their own details. If someone doesn't want to give their email when they sign up, no problem, they just can't offer them those convenience features.
Now Facebook does the same thing, but in Facebook's case this is enormously bad, evil and wrong
Selfishly, I disagree. I hate sites that constantly forget who I am. I would be totally happy for every site, including my bank, to set a perpetual cookie. If I want them to forget me I can explicitly log out.
Maybe for people who don't know better you have a point, I don't know. But for me, Facebook remembering me isn't bad, evil, and wrong, it's good, righteous, and correct.
I see your point, and I agree that for a well defined environment (e.g. my PC, at home, that no one else touches on pain of very painful things).
However, the big picture is that in general insecure should not be the default option.
Take your example, all you have to do is use it once on another persons computer, and then forget to explicitly log out ... and BAM you're compromised. Of coruse, this would be unlikely, since you are smart and can remember, but for other people they don't have the habit of logging out because they don't need to, so it would be very very easy for them to forget to do this.
(Ideally) The security of the user's data should not rely on eternal vigilance on the part of the user.
Better would be an opt in cookie ssytem, that you can explicitly say "keep me logged in on my home computer". That way when you or our hypothetical less than eternally vigilant user logs in to a public machine they can simply forget to click that option and it doesn't hurt their security.
I'm pretty happy with a "keep me logged in forever" checkbox. The thing I hate is "keep me logged in for a week" checkboxes. It's a pointless middle ground.
(And to pre-empt the inevitable karma snipe, it was in the normal game as well. Civil Disorder (level 7) + Iconoclasm and Heresy (level 8) was an evil, evil combo :D )
