Problem description (In WP 2.8.3 and earlier, the admin password can be reset remotely without WordPress generating a new one, locking-out the admin):
For a quick-fix, see:
i.e., in wp-login.php, replace the line
if ( empty( $key )
if ( empty( $key ) || is_array( $key ) )
If your WordPress installation has been hacked already, here’s an emergency password reset script you can use to reset and regenerate your admin password.
A German explanation of the security bug and how to fix it can be found on heise online: