And how people can have their account back if they didn't give any email adress?
We've just been discussing this on the enwiki buro noticeboard. In the case we were discussing, the user had linked to their itwiki account which did have an email address, so we could confirm their identity and the plan is to rename the account so it will no longer match the password. However, if there isn't any way to confirm the identity of the user then I think the account is lost for good - there is no way to know if the person requesting access to their account is owner of the account. That's the price you pay for not having the common sense to use a sensible password.