Some users with short and obvious usernames get very many unsolicited password reset emails. User:Angela reports getting 6 in the last 28 days and considers this to be a typical rate. The assumed cause is people with the same name believing (or suspecting) they are the legitimate owner of the account.
* Opt in to a security question. The security question must be answered correctly before the password reset mail is sent.
* Opt in to two-step verification, and then disallow password reset through email if two-step verification has been used within the last X days.
* Opt out of one of the password reset routes (by username / by email), while still allowing the other.
Also possible (though debated by some contributors, see below):
* Allow users to simply opt out from password reset mails. The user promises not to forget their password.