[FiloSottile]

No, it IS scary. First, even if an attacker can wiretap my network, and I assume that at least my ISP and government always can, I want my main means of communication to be secure: I PRETEND HTTPS on mail, Twitter, Facebook and so also on WhatsApp before using it. (Also, with https it's not hard, it must not be possible, if it is, is a bug) Second, if you try airodump-ng in a public place you will realize that you don't wiretap a Wi-Fi MAC address, it is screamed in every direction by every device that have Wi-Fi turned on, and note, not associated to an AP, simply turned on. Because this is how the network works, your device keeps yelling "I am /MAC address/ and know these APs, is there anyone near?" So, if a service authenticates me based on a broadcasted value or on a easily retrievable value (I usually don't think that the guy that asked me to make a phone call might obtain some password of mine) I would not call that password-based authentication.