This is a tough one. I've searched everywhere for a long time.
The "lost password" page allows either an 1) e-mail or 2) username to be entered.
My site has a lot of users. Someone figured out how to spook users by entering their usernames in the "lost password" box. These users are confused by the reset password e-mail.
Usernames are visible on the site. Anyone can find an username, and enter it to repeatedly e-mail that person. I know, it's stupid. There are people like that out there.
So, I'd like to disable recovering password by username. Allow it only by e-mail. E-mails are private.
Frankly, I'm surprised WordPress doesn't offer this customization in core. This is a SECURITY ISSUE, allowing people to send many emails to users -- without needing an e-mail address.