Lost password

I noticed that when we lose a password, geeklog will send us a new \'system-generated\'password. I have one concern, with the ease of requesting for new password.

GL does not verify if you are truly the user requesting for new password. As such, a prankster can look for a list of users ie. Admin etc and request for a new password for the person. It would be a pain if the this becomes a day to day affair.

Are there any plugins patches that we can add to help identify the user ie mom\'s maiden name or something along those lines?

Thank you.