Quoting shyouhei / ruby-lang.org, on Sat, Feb 03, 2007 at 11:01:00AM +0900:
> Yukihiro Matsumoto wrote:
> Because it's marked "deprecated" in RFC3986.  No use of this field
> should be recommended any longer.  That RFC says:
> 
> > A password appearing within the userinfo component is deprecated and
> > should be considered an error (or simply ignored) except in those rare
> > cases where the 'password' parameter is intended to be public.
> 
> Isn't this enough to say no?

It means that the library cannot interoperate with legacy systems.
Release of RFC3986 in 2005 did not cause all existing systems to
dissappear.

Many applications use and intepret such URIs. Mutt, for example. But
not open-uri, I guess it is safer than mutt.

Sam