after a discussion with Anders Wegge because of the bugzilla 2126  (now solved),
please let me propose:
- to add for security reasons a reasonable expiry time (minutes/hours/days)
for the temporary password,
which the wiki sends on a user's request.
Currently, the temporary password remain valid until a new is requested (~forever)
The regular password is never touched by this mechanism; it remains valid until
is is changed by the user in via Special:Preferences.
The expiry time can be handled in a similar way as it was recently introduced by
Brion for the e-mail address confirmation token ).
Unable to set new password after using emailed password (= temporary password
can only be used once)
EConfirm (EC): e-mail address confirmation by sending a link comprising a token
to the unconfirmed mailaddress