@theymos, couldn't a lot of this be avoided if we had a 2FA system in place?  I know you don't want to use the google system, and I don't blame you, but what about a decentralized system like using a PGP public key to generate single-use passwords, and send PGP encrypted password recovery links to the registered email?

I know we've discussed this numerous times, and it's always been shutdown.  Forgive me if I'm beating a dead horse, but I think I would rather live the downsides of a 2FA system opposed to the downsides of farming out account recovery.