One other idea to consider is that I presented the very worst possibility. At the very least, one could begin to build a profile of someone to steal their identity. And if that is too outlandish to consider, then perhaps the idea of being able to see when they would be gone (because you can see upcoming trips), and then just rob them. Either way, it's negligence on their part, plain and simple.

Yes, it is true. I demonstrated it to a local news anchor that had an account with Southwest. We sat at Starbucks, me on the other side of the room, and he randomly logged in and I grabbed his password and then presented him with a list of information that I was able to collect, including past and upcoming trips.

Fake boarding passes wouldn't particularly be all that hard to create either with all of the "print-at-home" tickets. Someone with decent photoshop skills should be able replicate one. Obviously it wouldn't get you on the plane, but it would get you past TSA and into the terminal.

Not at least at DIA or COS that I've been involved in although I have heard that at some airports the TSA does random gate/ID checks.

Until these merchants or companies get burned, they continue with the same practices because they figure it's not worth the time to do it right or they can "get away with it." For whatever reason (time, money, lack knowledge), for most companies, security is not considered a benefit until it fails or they are discovered. Perhaps it's time for more strict consequences for instances of negligence such as this.

Yeah it is interesting that they don't. It would certainly be in their best interest to do something like that. What I found, particularly with this story, is that many media outlets didn't consider this "news" because no one has had the exploit performed against them. They have to see someone go down before they consider it an issue. Until then, it's just a "threat", not an attack.

Southwest wasn't the only app I found that username and password issues. There is a list below. Note that typically users have a really high rate of password reuse so if we are able to compromise one account, the chances are likely to be able to compromise others.

Cloudette: Username in plaintext and password, hashed with MD5
Gas Buddy: Username and password, hashed with MD5

These two apps (Cloudette and Gas Buddy) are mentioned because you could replay these credentials to login to that account.

Southwest Airlines: Username and password in plaintext
Minus: Username and password in plaintext
Wordpress: Username and password in plaintext
Foodspotting: Username and password
ustream: Username and password
Labelbox: Username and password

Of the 253 applications surveyed, 91.7% had no risk found, 3.1% had a low risk, 2.3% had a medium risk and 2.3% had a high risk. While it would be desirable to have no applications in the “Medium” or “High” category, the number of applications the authors found presented a security risk was both surprising and far too numerous. There are over 500,000 applications on the iOS App Store, so extrapolating the results, there could be at least 15,500 applications in the “Low” risk category and 11,500 applications in the “Medium” and “High” risk category.

You can find the full details here: http://blog.afewguyscoding.com/2012/01/affected-applications-a-survey-mobile-device-security-threats-vulnerabilities-defenses/

Using ROT-13 would essentially be as good as no "encryption" at all. Algorithms such as this one, commonly called a Caesar cipher, does not hide language characteristics, such as letter frequency, etc. so it would be rather trivial to derive the actual plaintext. There is a reason these are classical algorithms and we've moved to AES and RSA.