Tim Starling wrote:
I've just implemented a per-user limit on password reminder emails. By default, 24 hours must elapse from one password reminder to the next. I figure if you've just been sent one password reminder, you don't need another one, assuming your mail was working.
And there you've already highlighted a grave problem with your approach. Suppose you didn't receive the mail (for whatever reasons). Then what?