How do I go about implementing a secure password reset function without sending the user an e-mail? There is another secure bit of information that I store and only the user should know, but it seems insecure to just let the user update a password just because they know a 9 digit number.

Note that user data is stored in a simple SQL table due to limitations on real database users on the server I'm working on.

Any input would be appreciated.

Update:
After making an attempt at OpenID and remembering that this server doesn't allow PHP (and thus, cURL) to make any external requests, I tried sending mail with PHP again. Apparently all of my previous terrible experiences with mail() on this server have gone away.

Thanks for all of your input, I may look into OpenID again in the future.

Punt on the password issue. Switch to OpenID. You don't have to worry about password reset, and the user only needs a new password if they want one.

it's a win-win.

Typically, identifying a user as being real on the internet requires an "opt in" model where the user "opts" to have their password reset, and an email is sent confirming that they either want it reset, or that is has been reset and what the new reset password is.

Really, the only reasonably safe alternatives are ones that use a similar method. Send an email, sms text message they must reply to, automated phone call where they have to punch in digits, etc.

The only method I can think of that doesn't use this system would be a security question. Banks often use these for additional verification when users log in or fail to log in correctly a number of times. They are sometimes also used as a "secret" code for retrieving a password, but even then, it is typically emailed to the user, not displayed on the page.

Without sending an email you are limiting yourself significantly. One of the benefits of sending a password reset code, or new password to someone's email address is you can rely on the assumption that they are the only person with access to their email account.

That said, you could use a "Secret Question" scheme to allow someone to reset their password. When this person creates their account you need to capture their secret question and the answer. You would then prompt the user with this question, and only permit resets if they answer correctly.

I must warn you that this is not a very good method of securing their password from unauthorized access. For a good article read: http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html

You have no way of knowing who is trying reset "Joe's" password. It could be Joe, or could be someone posing as Joe.

An alternative to sending an email is to either call one of Joe's phones with a one-time reset key or send an SMS message.

Calling Joe's phone with an audio message is easy with http://www.twilio.com/ But anyone might be able to pick up Joe's office phone. So usually you'd want an additional challenge before calling. Eg a secret question/answer. By using the phone and the secret q&a, you've made things tougher for the bad guys but still doable by Joe.

Another idea is to send the reset message to someone that Joe trusts and who knows Joe. (Send either by email or by telephone / sms.) A variant of this is to send to an employee who knows Joe, eg his assigned salesrep, HR rep, etc.

Use the post: Send a snail mail letter with the reset code in it. Would take a couple of days to get there, but theft of mail is a federal rap. See http://www.postalmethods.com/ If there are very bad possible negative outcomes, this can be a good solution.

For any of the above, Joe would enter the information when he sets up the account.

Another pattern is to require Joe to call into a help desk and let a human interrogate him.

Bottom line is that no technique is perfect. See the twitter breakin story: http://www.technewsworld.com/story/67612.html?wlc=1247790901&wlc=1248238327

Last thought: don't forget about anti-phishing. Often done by enabling Joe to choose a picture that the site will show him when doing something important. The idea is that a phishing site won't be able to replicate the UI, thus raising Joe's suspicions that he may not have arrived at the right site.