@Eric Florenzano: Simon Willison hit the nail on the head with that presentation - it’s perfect. Everyone should watch it, especially the critics, it’s completely invaluable.
@bandini: Any security expert will tell you that this is a terrible idea. If your login details are compromised, then every single account you have will be compromised because they have your username and password. (Yes, I know what you’re thinking: ‘but with OpenID…’ - read on!)
Furthermore, half the time using the same login credentials don’t work. Usernames can often be taken, email addresses can’t be used as usernames on some sites, and password rules always vary. I always try to use 24 character passwords with combination of upper/lower-case characters, numbers, symbols - but some sites, even banking sites, will often only allow 8 character passwords.
Using an email address as the URI for your OpenID identifier would seem a logical progression, but email addresses often change. There are millions of people with free Yahoo!, Gmail, Hotmail, etc accounts - and these shut down after inactivity. Plenty of people (unintentionally) let them expire. Many others use their work email address for everything, but what happens when they change jobs? Email addresses are too transient. Something of a more permanent URI is needed - thus the URL. With delegation to your website or blog, you can have one address forever.
Regarding security, several of the “big OpenID players” are looking at security options that far surpass that of one username/password for every site / “email me my forgotten password” emails. eg., myOpenID uses CallVerifID to call you on your mobile phone when you log in. Client certificates are also an option, as are (CardSpace/InfoCard) Identity Cards. So with this particular provider, unless someone has your OpenID URI AND your mobile phone AND is at your computer to gain access to the client certificate (AND optionally the ID Card), NO ONE EXCEPT YOU will be able to log in to your OpenID account and any websites that you use OpenID to log in with. Traditional per-website login credentials simply cannot match this level of security.
Another example regarding security is the VeriSign Personal Identity Provider. You can purchase for about $5 (through eBay/PayPal) a fob that will generate a unique one-time use token for when you log in, in addition to your OpenID URI and password. Again, someone would need to gain access to your URI AND password AND fob in order to gain access to your account.
With awareness and adoption ramping up, it is simply a matter of time before this becomes the norm. People are afraid because this is something new. If OpenIDs were around in the early 90s rather than username/password/email login options, we wouldn’t think twice about it.
Find a good provider (myOpenID, claimID, VeriSign PIP are some good ones), have a play around, and enjoy. It does make life so much easier!