Best Way to Reset a User's Password

[spoondevil]

So on my site, users can sign up and if they happen to forget their password, they can fill in their username or email address and the backend resets their password to a random one and emails it to them - if they exist in the database.

Would it be better to do the following though?

1. User enters their username/email and requests their password be reset.
2. Web site sends them an email asking if they really want to and encloses a unique hash in a URL.
3. User can then click this URL if they really do want to reset their password.
4. Password is reset and they are sent an email telling them the password.

I thought this idea would be better, as you could have a malicious user on your site continually resetting everyone's passwords and then the "innocent" users wouldn't be able to access the site until they've checked their email and got their new password, gone on to the site and log in then change their password. Bit of hassle for the users.

Is this the way that most user sites work with password resetting?

[tripy]

I would personally not send them the password by email...

Rather, why don't you derive your proposal to:
1) User enters their username/email and requests their password be reset.
2) Web site sends them an email asking if they really want to and encloses a unique hash in a URL valid for a couple of minutes only, and maybe checking the origin IP of the request with the IP of the confirmation.
3) User can then click this URL if they really do want to reset their password.
4) Password is changed, and the new password is displayed on the page.

From there the user could change it if he want to.
It may be me, but I always tend to not send any password by emails.

[tripy]

I would personally not send them the password by email...

Rather, why don't you derive your proposal to:
1) User enters their username/email and requests their password be reset.
2) Web site sends them an email asking if they really want to and encloses a unique hash in a URL valid for a couple of minutes only, and maybe checking the origin IP of the request with the IP of the confirmation.
3) User can then click this URL if they really do want to reset their password.
4) Password is changed, and the new password is displayed on the page.

From there the user could change it if he want to.
It may be me, but I always tend to not send any password by emails.

[Tim Greer]

Make sure to use a verified method, by having a secret question and answer, as well as their email. Otherwise anyone can start annoying users by making illegitimate password requests if they knew their email. The rest of the advice above is good, so I just wanted to add that to it.

[rageh]

I agree with Tim Greer.

I also add that don't make the secret question too hard to remember later like my bank is doing askingme a random question out of a few questions that they made me answer when I was registering for the service. Almost each time, I give the wrong answer and after 2 more attempts they freeze my account prompting me to call their tech department. I hate it.

I suggest, besides the email/username, ask mother's maiden name or sporting hero. Then have the system reset the password. For added security, force them to change the password afterwards although most users would change it anyway as the automatically-generated passwords are hard to remember.

[Akash Mehta]

Time-sensitive verification is also handy, e.g. only 3 forgotten password requests per day.