Allow user to reset their password with an emailed link.
This is happening more frequently.
Add "forgot password?" link to login page and Pad dialog. Ask for email address (?).
Heavily rate-limit submitted requests.
Handle different cases:
- User has an email and password set: mention that they can log in via email (and link to guide), and that an email with a reset link has been sent to them.
- User only has an email set: mention that they don't have a password set, and can log in via email (link to guide)
- User only has a password set or email doesn't exist: mention that an email with a reset link has been sent to them.
- User has no email or password set: mention this and tell them to message us (perhaps pop up chat window)
Email should contain a link with a sudo=1 one-time auth-token that redirects them to /me/settings?pass and only prompts them to pick a new password. Also include the username field so browsers update their saved passwords.