At login screen, there should be an option "forgot password"
When user clicks on it, he needs to enter his email and click on the button "request password reset"
After clicking to that button, user should receive an email with an unique link to reset the password.
When user clicks on that link, he goes to a page with two password fields: new password and new password again.
After filling these, user should click "submit", and see a notification that his password is changed successfully and he can login with his new password, and should be taken to the login page.

Tips: This might seem like a simple task but it involves many different steps & things.
1- To send emails, you need to use JavaMail. The library commons-email can make things simpler for you. You can create a new gmail account specifically for that, it'll be the address used to send emails. You need to enable SMTP and IMAP for this account on account settings, also need to enable "less secure" apps, as described in here.

You can create a simple project with a main method and first try to send an email from this account, using commons-email to your personal email address, and when you succeed on that, move on to the next step.
2- You'll possibly need to create a new table in the db for that, something like password_reset_request maybe? When I request a password reset, it should create a record in this table.
3- The email will contain a link which is unique. It can contain an unique parameter (query string). How can you create a unique string in java?
4- When I click on that link, I will get back to the Java (Vaadin) app. But this time, app should welcome me different, with a password reset screen instead of the default screen. You need to read the request path and parameters to do that somehow.
5- From the unique request parameter (the link from email), the platform should know to which user this reset request belongs to. Use the table here :+*

XML configuration is an old and error-prone trend, and getting replaced by java configuration by most of the libraries. Migrate Hibernate to have full java configuration & finally remove hibernate.cfg.xml.

After logging in, there should be a menu to change user settings.

There should be an option to upload a profile picture.
I upload a picture from my computer, it's size (widthxheight) should be validated, if width or height is bigger than 440px, it should give an error "Please upload a smaller image". When I click "Save" after uploading, it should be stored in the database. Tip: Google "BLOB Hibernate"

If I already have a profile picture, it should be shown in this screen, in a box. There should be an option to remove it also. :+*

Depends on #2.

Users should be able to take photo from webcam and use it as profile picture.

This issue has several steps, adding an addon to Vaadin and recompiling the widgetset. I will help you on that when you start it.

Currently our loggers are doing the appending in the thread they're called from, and that might cause slowness. Better to just hand the logs to another thread and it'll do it asynchronously.

This depends on #7.

After doing #7, add super class to all your domain objects, so all the tables will be time auditable. Use @PrePersist and @PreUpdate on the super class.

This might be helpful: http://blog.octo.com/en/audit-with-jpa-creation-and-update-date/
Or this: http://gazpachogoestojava.blogspot.de/2014/05/mappedsuperclass-annotation-in-jpa.html

Emails are unique among people, and we basically need the email address for password reset, so it's better to follow this approach. Emails should be validated on register, login and before going to the database (by hibernate).

Tips: Check vaadin field validations, commons-validator and hibernate-validator.

:+*

Configure project to have a proper logging system. Use SLF4J as logging facade, and Logback as the implementation. The logs should be printed to console and a file under user home, with a name like fivesquare.log

Tip: This might be helpful: http://www.javacodegeeks.com/2012/04/using-slf4j-with-logback-tutorial.html

:+*

We're using Hibernate specific APIs for now.

It is good but it would be better to move to JPA. Instead of using Hibernate Session API, migrate the project to JPA EntityManager API, and minimize the imports from the org.hibernate package.

Better to compress the old log files with gzip, they should have extension .gz

Project should be configured such that, when I run the project, if it can connect to the database with given credentials (database exists, username and password are correct), it should create all tables from your domain classes. So, I won't need to take the database schema from you, I'll just create an empty database and run the project. :+*