When phpBB is running on a webserver using SSL, the "I forgot my password" uses email (or XMPP) to send out a new password. Since email is generally unencrypted and other attacks such as faking the DNS reply for the MX record request are possible, it presents a weakness.

I suggest adding a switch to disable this feature completely.