The one good thing about HTTP Auth, IIRC from the last time it looked, was that it was sorta CSRF-resistant to a form automatically logging you in (if it could guess your password -- which for something like a home router, is a decent attack vector in a spray-and-pray script where there are lots of defaults). But it still has so many significant downsides, like the fact that you were kept logged in until you closed your browser.