I would enforce unique email addresses across the accounts.

Then it is a simple matter of sending a link to a temporary page that allows the person to change their password. (allow 24 hours or less)

The user's email account is the weakest link in this scenario.

As said, it depends on the level of security required, however, if you need a higher level, some novel solutions I have seen include;

• Displaying half of the temporary password when the user's identity has been confirmed (security question, email address etc.) then the other half being sent to the email account. If the email account has been compromised, it is unlikely that the same person has also managed to perform a man-in-the middle attack. (Seen on UK Goverment Gateway)

• Confirming identity via email and another medium - for example a code sent via text to a registered mobile. (Seen on eBay / PayPal)

For somewhere in between these two extremes implementing security questions may be the way to go as mentioned by DaveG.

When you are sending any information via email, it won't be secure. There are too many ways someone can get it. It would be child's play for a skilled hacker looking to steal your information.

Refrain from sending any personal information like passwords and income information via email as it can become VERY EMBARRASSING for you and your organization if such information was leaked or stolen. Think about security seriously. It just takes that one incident for all the bricks to fall.

As for password retrieval, thoroughly read Forgot Password Best Practices.

The bottom line is that an application following best practices should allow a user to reset his own password. Personal security questions should be used. The application should not send email, display passwords, nor set any temporary passwords.

EDIT: Updated link

Update: revised in May 2013 for a better approach

1. The user enters his username and hits "forgot password". I also recommend the option of entering the email address instead of the username, because usernames are sometimes forgotten too.
2. The system has a table password_change_requests with the columns ID, Time and UserID. When the new user presses the button, a record is created in the table. The Time column contains the time when the user pressed the "Forgot Password" button. The ID is a string. A long random string is created (say, a GUID) and then hashed like a password (which is a separate topic in and of itself). This hash is then used as the 'ID' in the table.
3. The system sends an email to the user which contains a link in it. The link also contains the original ID string (before the hashing). The link will be something like this: http://www.mysite.com/forgotpassword.jsp?ID=01234567890ABCDEF. The forgotpassword.jsp page should be able to retrieve the ID parameter. Sorry, I don't know Java, so I can't be more specific.
4. When the user clicks the link in the email, he is moved to your page. The page retrieves the ID from the URL, hashes it again, and checks against the table. If such a record is there and is no more than, say, 24 hours old, the user is presented with the prompt to enter a new password.
5. The user enters a new password, hits OK and everyone lives happily ever after... until next time!

Here are three very good links that provide information on password resets:

1. http://jtauber.com/blog/2006/03/20/account_management_patterns/

2. (Don't let users confirm using GET):http://www.artima.com/forums/flat.jsp?forum=106&thread=152805&start=15&msRange=15

3. http://fishbowl.pastiche.org/archives/docs/PasswordRecovery.pdf

Hope that helps. They sure helped me understand the issue.

It all depends on your site and the level of security that you're trying to achieve but the basic process for a web app goes something like the following:

1. The user navigates to the 'forgot my password' page and enters their username or email (whichever is unique) to request a password reset.

2. Optionally at this stage you can confirm the request by asking for additional information such as the answer to a predefined security question or their date of birth etc. This extra level stops users receiving emails they didn't request.

3. Look up the user's account. Save a temporary password (usually a GUID) and timestamp against the account record. Send an email to the user containing the temporary password.

4. The user either clicks on the link containing the temporary password and the user's identifier in the email or navigates to the 'forgot my password' page and copy & pastes the temporary password and their identifier. The user enters their new password and confirms it.

5. Look up the user's record and if the current time is within a specified time limit (e.g. 1 hour) of the timestamp saved in step 2 then hash and save the new password. (Obviously only if the temporary passwords match!). Delete the temporary GUID and timestamp.

The principal here is that the user is emailed a temporary password that let's them change their password. The originally stored password (it should be hashed!) is never changed to a temporary password in case the user remembers it.

The original password will never be displayed to the user as it should be hashed and unknown.

Note this process relies entirely on the security of the user's email account. So it depends on the level of security your wish to achieve. This is usually enough for most sites/apps.