Brad's not kidding here. Gmail as it stands is hackable. I logged in today and noticed a bunch of read mail I hadn't read and it turned out that my friend got into my account earlier today. That'll teach me to set my password reminder to something I mentioned online ages ago.
update: whoa, turns out it wasn't Andy, though he did get my login from the question trick. I went and changed my password and secret question, and I've heard that Yahoo Mail and Hotmail do something similar. Someone wrote to me to point out they can get into their friends' Hotmail accounts no problem, so this isn't limited to Google's implementation. I hope any publications pick up on this point if they're writing it up tomorrow.