I agree with all of what you say. That's why I paid $35 for 1Password. It stores all my passwords locally. It supports 95% of the sites in the world, today. It doesn't sit outside a firewall or accept requests from the open internet. It doesn't run on Windows. It is unphishable. It doesn't provide hackers, datacenter thieves, and rogue employees with a big tempting centralized target. It doesn't require me to figure out OpenID. When my laptop gets stolen, I will know immediately that it's time to change all my passwords, and hopefully the encryption will buy me the time to do so. The company will probably not be bought by DoubleClick and used to data-mine my login history (which, at the moment, it doesn't track anyway), and if that does happen it is easy and intuitive for me to just switch to something else -- or just switch to a notepad -- because I have all the passwords under my local control.
Is OpenID more secure than my solution? I mean, it's obviously less convenient and harder to understand, but perhaps it would be more secure.
I guess you could argue that my passwords are sometimes sent in the clear, when the site I'm logging into doesn't have HTTPS. Fair enough, but I wouldn't think that the marginal additional security of OpenID would matter too much in that scenario. Sites which don't support HTTPS can hardly be relied upon to be careful with my data, anyway.
Less convenient? So, what happens when you're at a friend's house or public computer where you don't have your 1Passwd/Keychain database?
Plus, once you're logged into your OpenID provider, you don't have to enter your password for any sites which you already trust, until you log out. That's part of the advantage of a single sign-on system.
"Sites which don't support HTTPS can hardly be relied upon to be careful with my data, anyway." -- so, the vast majority of sites? People are going to use these sites either way. Most users don't even know what HTTPS is.
While it's unlikely an OpenID provider would sell out to DoubleClick, etc, if you're paranoid it's also very easy to use your personal website URL as a portable OpenID (it's literally two extra HTML tags in your homepage's header). You can either run your own provider using a simple prepackaged solution, or do what I do and just delegate to another provider, which you can easily change in the future with a quick edit of you homepage's header. Here's mine:
There's even WordPress (and I'm sure others) plugins to make this trivial for non-technical users.
I agree OpenID is a little difficult to understand (as evidenced by some of the comments here) but it's actually very easy to set up a simple OpenID (many people already have one and don't know it... all AOL, Technorati, LiveJournal, WordPress, and some other accounts are OpenIDs) and not too much harder to set up a delegated OpenID or run your own provider.
Is OpenID more secure than my solution? I mean, it's obviously less convenient and harder to understand, but perhaps it would be more secure.
I guess you could argue that my passwords are sometimes sent in the clear, when the site I'm logging into doesn't have HTTPS. Fair enough, but I wouldn't think that the marginal additional security of OpenID would matter too much in that scenario. Sites which don't support HTTPS can hardly be relied upon to be careful with my data, anyway.