That's like putting half your pin number on your face - or making it your email address
Topic on Manual talk:$wgCookiePrefix
Okay - it's not like it's super easy from there but it shouldn't be there really.
There's no reason it can be any security treat. Please stop freaking about this or demonstrate how it can be harmful.
I just came across this and don't understand why it defaults to the database name, too. On some hosts you can derive the ssh/ftp username from the datebase name. Thus, in my opinion, it would be better to default the name to the sitename for example. What do you think?