with the "recover password" ability enabled users need only to make a successful guess of a user ID and then that ID's password is immediately changed. even IP blocks per account do not block this "recovery" option. i imagine something like an email sent to the address on file with a link specific to changing that account and ALSO some kind of security question/answer scenario. another possible option (which would be more of an "extra" not an "instead of" option) is to check against the user ID IP list (if present) before accepting the password recovery submission.
