This is how I would let a user login again, after she lost her password:

  1. Provide a clear "Lost your password?" link at the login page and possibly in the "help section"
  2. Let your user provide one thing she surely remembers - her email
  3. Send a confirmation mail to the user with a text like
    Hi, this is <you>. Someone requested a password reset on <your site>. If that was not you, you can safely ignore this email and nothing will happen. If it is you, who requested your password to be reset, click this link <yoursite.com/forgotten/3ttnjwnt32t> to reset it.
    The "3ttnjwnt32t" string is only mentioned in the letter, you save

store encrypted with a hash

password resets:

  • request reset
  • allow anybody to send a reset-request-email
  • arrive at hidden page that lasts 1 hour
  • ask for a new password and the email
This also implies that an admin never should be able to change a password, only send out an email to the user who in turn changes it herself.