After a certain number of requested password reset emails, a person should have to put in their recovery code to get another email. This is to prevent DoS attacks on a user with a known email.
How about just a minimum amount of time before requesting another recovery code to the same email? And perhaps a captcha on the password reset page to prevent bot spamming?
After a certain number of requested password reset emails, a person should have to put in their recovery code to get another email. This is to prevent DoS attacks on a user with a known email.