Optionally disable forgot password functionality
There should be an option in account configuration to disable the forgot password (password reset) functionality.
In many applications, even a bank account app, for example, there is a limit to the damage that could be done by unauthorized account usage and in most cases the damage is fixable. One can recover from it.
Source code is often very different in that once somebody gets it, it can almost immediately be available to all the wrong people in the world and that can never be taken back or undone. For this reason I would like to see the ability to lock down access more.
For a source code repository with reset password functionality via email, there is an additional system that is required to be secure.... the email system and all paths the email may travel between the source control (sending) servers and the receiving email servers. This introduces so many more weak links such as all employees having access to email servers, domain security and all lines the email itself may travel, since the email itself is not encrypted.
Therefor, although bitbucket may be secure, anybody could gain access to the email systems, domain systems or network the email may travel through and simply click the forgot password button to get an email to reset the password, get the reset link, login and grab the source code.
For this reason, myself and others would like to see a feature to disable forgot password functionality. When this disable option is selected, clicking the forgot password link on login would ultimately result in nothing happening. I figure I am responsible enough to keep track of my password and accept all responsibility of it being lost, without ability to reset. Essentially on a lost password scenario my account is dead even. Worst case, I would have to create the account again. Since it's a git distributed VCS, the repository exists other places in active use outside bitbucket so it is not lost. I would rather accept this risk than accepting the risk that somebody could gain access to my email and get to the source code in my account.