I've been around a long time (2003) and have old accounts that I never use, usually explicitly setup to prevent folks from creating accounts with different capitalization for misleading user names in comments.
After SUL, that case variance problem should be handled correctly. But those existing variants could still be re-activated.
Many of these accounts have expired email, so I don't see any notices. Recently, one that has a current email sent me a notice that reads in relevant part:
# Temporary password: YH2MnDD # # This temporary password will expire in 7 days. # You should log in and choose a new password now. If someone else made this # request, or if you have remembered your original password, and you no longer # wish to change it, you may ignore this message and continue using your old # password. # I use fairly long passwords with special characters (a 96 character set including space). This replacement password is much more easily guessed. The account could have been stolen within minutes or hours.
https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength
(Merely 7 case insensitive alphanumeric characters is equivalent to only 40-bits of strength.)
Please update the password generator to use at least 17 characters, with at least some punctuation! (Users reading the text might have trouble noticing blanks, so don't use the space character.)
Of course, I know that various studies show that 12 to 15 characters using a 95 character set are probably enough. And that's fine for the user's choose. But this is an automatically generated replacement, emailed out in the clear. It should be something stronger!