Account recovery (usually through a password reset) on many websites has mainly relied on accessibility to a registered email, due to its favorable deployability and usability. However, it makes a user's online accounts vulnerable to a single point of failure when the registered email account is compromised. While previous research focuses on strengthening user passwords, the security risk imposed by email-based password recovery has not yet been well studied. In this article, we first conduct a measurement study to characterize the password recovery activities in the wild. Specifically, we examine the authentication and password recovery protocols from 239 traffic-heavy websites, confirming that most of them use emails for password recovery. We further scrutinize the security policy of leading email service providers and show that a significant portion of them takes no or marginal effort to protect user email accounts, leaving compromised email accounts readily available for mounting password recovery attacks. Then, we conduct case studies to assess potential losses caused by such attacks. Finally, we propose and implement a lightweight email security enhancement called Secure Email Account Recovery (SEAR) to defend against password recovery attacks by adding an extra layer of protection to password recovery emails.