Feature:
Possibility of setting up bot-detection on “forgot password” (password reset) page.
Description:
There is no rate limiting or other mechanisms that would prevent the automation of sending e-mails to an attacker-chosen e-mail address. This behavior could be a minor annoyance if a malicious user decides to send multiple requests to flood another person’s inbox, thus potentially damaging the image of our company. An efficient countermeasure against automated attacks is to implement a CAPTCHA.
For reference:
previous community post, possibly never actually submitted as a feature request?