You don't hand your password to anyone but your email provider - and they can implement two-factor authentication (or anything else they like) - as GMail have done, for instance.
Which means that 99% of sites don't need to worry about security for passwords, and you don't need to worry that your password has been stolen by hackers and now they're trying that same password on every site you might have ever used.
It's also decentralised, so there's no tracking of what sites you've logged in to. (Or, at least, it will be, once email providers implement IDPs themselves rather than using the Mozilla fallback). And the way the certification works, the IDP has no idea what sites you're signing into, so you're safe from that too.
Which means that 99% of sites don't need to worry about security for passwords, and you don't need to worry that your password has been stolen by hackers and now they're trying that same password on every site you might have ever used.
It's also decentralised, so there's no tracking of what sites you've logged in to. (Or, at least, it will be, once email providers implement IDPs themselves rather than using the Mozilla fallback). And the way the certification works, the IDP has no idea what sites you're signing into, so you're safe from that too.