Password reset spam bug

orlick

I'm running into a pretty serious problem on my forum right now where people have automated asking for a password reset and are firing off hundreds of password reset requests to everyone on the board. Has anyone else run into this problem? I think the best solution is to require the user to enter their email in order to get a password reset since that is private information. I am going to work on patching Vanilla today (or try to add an extension for this if possible)

fysicsluvr

or modify the captcha extension to also work on the password reset form.