This is how I would let a user login again, after she lost her password:
- Provide a clear "Lost your password?" link at the login page and possibly in the "help section"
- Let your user provide one thing she surely remembers - her email
- Send a confirmation mail to the user with a text like
Hi, this is <you>. Someone requested a password reset on <your site>. If that was not you, you can safely ignore this email and nothing will happen. If it is you, who requested your password to be reset, click this link <yoursite.com/forgotten/3ttnjwnt32t> to reset it.The "3ttnjwnt32t" string is only mentioned in the letter, you save
store encrypted with a hash
- request reset
- allow anybody to send a reset-request-email
- arrive at hidden page that lasts 1 hour
- ask for a new password and the email
This also implies that an admin never should be able to change a password, only send out an email to the user who in turn changes it herself.