this this this, i also would like to recommend a feature like most sites have where if someone password requests you it doesn't just send your literal password to your email but sends you a link to reset it entirely, just thought i'd throw that out there. something absolutely needs to be done about security nonetheless.
in that case, it might also be good to add in a feature where when your account gets a pm it notifies you via email? since right now a lot of people are having to request pws to get people to log in to check their pm inbox.