The password I use to connect to PM is the random string sent to me when I first joined, so it bears no relation to any other password I normally use in my life (and I generally don't remember what it is -- my browser does that for me -- but I keep that email from PM management, just in case).

The worst-case scenario if someone steals my PM password? They submit "updates" to trash my user page, user settings and any number of the hundreds of nodes I've posted. If they are really subtle and really nasty, they alter code I've posted in malicious ways. If they are nasty and not subtle, they start using my name to do trollish things, and others start to wonder whether I've become unbalanced (bipolar/schizo/etc), until I figure out what's happening and sound the alarm.

Would that cause me any personal damage? Not really. All the code I've posted here is also stored somewhere else where I have more secure ownership and access control, and any ruffled relationships can be smoothed once the facts are known. If the website has a reliable backup, then this worst-case scenario would be resolved by locking things down for a bit, fixing things to prevent recurrence, restoring to a state that precedes the abuse, and getting back to work.

I think whatever risk there is in the PM password setup is limited to damage that may be suffered by the PM website itself, and by the community as a whole that it serves.

I'm not saying there's no cause for concern -- I'm just saying that there is no reason to feel personally threatened by the risk. PM (the website and the membership in the aggregate) bears the full weight of consequences in the event of abuse. If you or your acquaintences are feeling that you have personal things at stake here, think again.