Hopefully ~davout/~bousac will have anticipated this. I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.
I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info
Glad I only had 0.015 BTC lost there
In my opinion, a straight URL like this not much different than a username/password scheme. Possibly better in some ways as one is unlikely to type it in and get hit with a keystroke logger, use crappy passwords, re-use passwords and get nicked that way, etc, etc.
Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off. For a lot of things and not just URL-secured access.
On the back end it should be handled with the same sensitivity as a password. Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such. That way loss of the database would not compromise the sensitive data as easily. Dunno if this is how the Frenchmen had Instawallet working or not.
One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin. I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.
A private key for a user who had their act together enough to keep a hold of it for situations like the one we are now facing would be kind of a good idea. 20/20 hindsight I guess. Maybe for the next go-around. And I would go right back to using something like Instawallet-II if Paytunia or some other trustworthy entity brings it up...and goes into a little detail about the precautions they took in implementation.
edit: spelling