The browser implementers completely punted on making HTTP authentication usable: there's no friendly way for a user to logout, for the server to force a logout, for the user to change a password, etc. All of these were well known and discussed from day one but they weren't seen a priority by any vendor and most web developers went with usability over security.