Thanks for posting!
Yep - both good recommendations, and poor practice on the part of Award Wallet. Enforce good passwords (the suggestion that this is a dead give-away of bad proper password security is ridiculous), and don't show saved passwords.
Every good site I know of that is an aggregator of other accounts (like Mint / Yodlee) stores the user's passwords in a hashed format so that even if hackers breached the DB they wouldn't see the plain password.
Luckily I have complex passwords on all sites, but I just deleted my Award Wallet account after this one - if they get this basic security wrong, what else are they missing?
I suggest everyone delete their account, this site is too risky given this basic breach. Also, the site doesn't even give correct updates / balances a lot of the time. I feel sorry for those that have to go change passwords on dozens of accounts due to this - I had 70 accounts stored in AW!
Shame on you Award Wallet / AwardWallet !