Printable View
Microsoft would have started with all the good intentions in the world (as do all enterprises do) but then the bean counters would get involved and all those good intentions go out the window.
Security costs money. Bean counters don't like to spend money. (Because they only see as far as the next quater).
IMHO this is where the problem lies.
And remember that they did this for the phising problem, not even because it's clear text in URL password username... But it's still in a RFC, and if it's in a RFC, it's for a good cause. The problem is only the programer using this and thinking that it's secure, but there will always be programmers like that, even without this.