I am working on a web site which requests some degree of security. A pair of username and password is requested for authentication. I need to provide some methods in case a user can't remember one or both login information. A user can retrieve his/her username by providing his/her email address in his/her account. That is the system will send you username by email if you can provide your email address. I am wondering how to let a user reset the password. Is a username enough or a pair of username + email address needed for a good balance between security and cconvenience?