Foolestroupe -

Its not as bad as it sounds, perhaps. When you log in for the .NET Passport cookie, the login itself is as "secure" as most bank logins. You get a temporary cookie that identifies you as .NET user #16943590743 or something. If that's the same number you had when you did a login somewhere else, they can assume it's you, with reasonably safety, since you're the only one who's supposed to be able to log in and get "your" cookie. Since the .NET cookie is a temporary one, it should disappear immediately if you close your browser.

Any site that intends to exchange personal information about you should require a separate login AND transfer you to a secure connection before making any of that information accessible - to you or to anyone else. They should NOT USE YOUR .NET PASSWORD to log you in for exchange of personal info on their own site. Hotmail does use your .NET password to log you into your email, which "ain't how it's supposed to be done" - according to their own rules.

The .NET cookie is helpful, since a site that "knows you" by your .NET cookie can send you directly to their login page, but would likely send someone they "don't know" to a page to "open an account" or some such other place where you'd need to jump through a bunch of hoops for them.

John