Actually ..the problem was that there wasn't proper disclosure
Great take on the whole incident ..one small clarification though...
I have no problem with the fact that NO passwords should ever be sent in the clear. The problem is that unlike Black Hat / Defcon - there was no disclaimer on a captive portal gateway prior to getting network admission.
Black Hat/Defcon and its networking partner Aruba have such a captive portal disclaimer which makes all the difference in the world.
Check out the image in the top left of this post i made at black hat in 2008 for an example.
http://blog.internetnews.com/skerner/2008/08/black-hat-this-network-is-host.html