Some users with short and obvious usernames get very many unsolicited password reset emails. User:Angela reports getting 6 in the last 28 days and considers this to be a typical rate. The assumed cause is people with the same name believing (or suspecting) they are the legitimate owner of the account.
Possible solutions:
* Opt in to a security question. The security question must be answered correctly before the password reset mail is sent.
* When someone requests a password reset, show them a partial email address or other innocuous personal information from the target account. The idea of this is to discourage people from requesting password resets from accounts they don't own.
* Allow users to simply opt out from password reset mails.Opt in to two-step verification, The user promises not to forget their passwordand then disallow password reset through email if two-step verification has been used within the last X days.