Probably the worst security I've ever seen is a website I used to visit that had their "Forgot your password?" system change the password of the account to the user's username and didn't even send an email confirmation before doing it.

technically you can then enter every user

Website I go for training class enter forgot password, enter email which is your user ID and sends a 3 char password to your email, and don't make you change it during next login...

4 years ago, a friend of mine had his Hotmail stolen. Unusually, he had deleted his account recovery email, however, his stolen Hotmail account still had that old deleted email address as recovery. What I did ? I registered a new email account with exactly the same address as his recovery email, then proceeded to follow steps to recover the stolen account and it worked!