I think your very last point is particularly valid. “Don’t make complicated what could be simple – don’t block access to features that need to be accessible with next to no permission, and your users will thank you.”
Why do so may websites ask you for a password when they have absolutely nothing private of yours? An email address should be sufficient to identify a user. Websites that have nothing about you that is not public record should NEVER force you to enter, and then try to remember, a password.
Of course if the website has personal or financial information that you have found fit to give them that is an entirely different situation. In that case the site should be https and should insist that you have a good password or passphrase.
SitePoint, for example, has nothing about me that is not public record but they still require me to have a password. Why?
Good article.