What needs to happen for security is any accounts that do not have their password reset manually within a week should have their passwords revoked and automatically reset where they can only be recovered with an email being sent with a recovery link to the address on file.
Alot of people use fake emails since no confirmation is needed when you signup, and what if i lost the password to the email that i signed up with?