Hi,

When requesting a password reset (Lost your password?) it is possible to use either the @username or email address to do the request.

I think this should be restricted to only allow the email address to be used, as this is generally hidden information. Whereas the @username is visible in profile pages and the profile URL of members. Not good, an easy route for hackers and nuisance attempts to compromise other accounts.

So is it possible to restrict the Lost Password reset functionality to only work with email address?

Thanks!