Some users with short and obvious usernames get very many unsolicited password reset emails. User:Angela reports getting 6 in the last 28 days and considers this to be a typical rate. The assumed cause is people with the same name believing (or suspecting) they are the legitimate owner of the account.
- Opt in to a security question. The security question must be answered correctly before the password reset mail is sent.
- Opt in to two-step verification, and then disallow password reset through email if two-step verification has been used within the last X days.
- Opt out of one of the password reset routes (by username / by email), while still allowing the other.
Also possible (though debated by some contributors, see below):
- Allow users to simply opt out from password reset mails. The user promises not to forget their password.