well what about this, You email them a link to a page where they can reset there password. Of course you'll need some kind of validation on this.. so the link contains a random hash that gets generated and stored in your database for that user when they ask to have there password reset. When they go to the reset password page they must have an identifier in the url with his hash code. This should be secure as the user who signed up provided his/her email address. ALso you could provide and expire time like you mentioned.