As theold adage says: "There's nothing more permanent that a temporary solution".
So we know it's happening - it's not really "hidden" - so I'ts up to me if I want to use Facebook or GMail or whatever - knowing the connection could be snooped. If I don't like it - I can simply not use those services from work.
The immune system isn't usually that self-destructive
"Marc Andreessen’s venture capital firm, Andreessen Horowitz, has invested just under $50 million in Bitcoin-related start-ups."
i.e. Even if he doesn't believe a damn word he's saying - he's heavily invested enough to need to make it work.
So - knowing that the app needs to somehow either cache this info in a way it can get it back to login, or have you re-enter the password every time, I'll ask again:
What SHOULD they have done differently.
So, what's the solution? We're NOT talking about a password file that can be stored in a hashed manner - that's receiving and verifying passwords, not sending them. Web browsers don't store cookies/tokens in an encrypted manner - if you got them you could use them elsewhere (assuming they weren't tied to IP address or whatever).
So - (and I'm asking literally, not rhetorically) what should they have done?