On 05/07/05, David Benbennick dbenbenn@gmail.com wrote:
Since exactly one random password + one "real" password can be active at any time, it's equivalent to halving the odds of picking the right one randomly.
Not quite. The random password has been sent out by email, so it is stored and archived who-knows-where.
So don't register an e-mail address with your account, and then no generated password will ever be sent out that way. This danger isn't really reliant on the password being valid for a long time, only on it being sent to or through an insecure e-mail server. If you're worried someone may be trying to exploit the e-mailed password to get into your account, change your real password, and it will immediately cease being valid.
Besides, if this was a banking site, I'd take these issues a bit more seriously; if someone just wants to impersonate or disadvantage you on Wikipedia, I'm sure they could find simpler ways anyway.