Just to briefly add, I understand that this is a site with little sensitive data stored on it, such as banking information. However, when the login system comprises of your public username as oppose to private email address, targeted brute-force attacks become exponentially more prevalent, hence I believe this to be a very necessary feature.

It has been standard practice for the past decade to lock various actions behind a layer of user authentication. The two most important actions being:

• Changing the account password
• Changing the account recovery email

However, both of these actions can be performed entirely within the site itself with no layer of authentication, meaning if somebody were to gain access to your account, they could immediately change both your password and your recovery email address, giving you zero ability to regain ownership of it.

More so, your recovery email address is displayed on your account in its entirety, as oppose to the standard practice of censoring half of it, meaning they could now also attempt to login to your email account using the same password.

The optimal solution is to follow the industry standard of sending a link in an email in order to perform the above-mentioned actions, thus ensuring if your account were to be compromised, you could very easily regain ownership.