Aren't people supposed to be registering a gpg key with their account? That can be used to do a recovery. Backup passwords need to be used carefully as they are a potential weak spot. They are often easier to guess and may be used to provide a way back in to compromised accounts.