If we're going to be giving "sysop" status fairly liberally (and I don't disagree with that as a policy), you might consider still making at least one concession to database security: currently, anyone with sysop access can query the database and see users' passwords in plaintext. People tend to use the same password for several things--so it wouldn't surprize me at all if I were able to log onto Magnus's email account or something.
It shouldn't be too much work to use some minimal encryption there.
wikitech-l@lists.wikimedia.org