"I mean, do you really want to trust Bob's Computer Shop to allow logins to your site?"

Why wouldn't you? For the average site (like the one mentioned in the OP), it really doesn't matter who handles authentication (not authorization). Now let's leave banks and websites like that out of the question. Digg? Slashdot? Perlmonks? JoeSchmoe-Forum? Does it really matter who handles authentication?

Sure, Bob's Computer Shop could be faking credentials, but with regular password based authentication on your own site, you're really no better off. (Palin's Yahoo! mailbox anyone?). With sites like bugmenot.com, password based authentication is definitely no better IMHO.

But I'd like to hear some arguments of the "haters" :)