I'm currently working on the administration pages for my website, and I've now reached a point where I'm starting to look at how a user can retrieve or be given a password if they forget the original.
I've not had to deal with anything like this before and I'm not sure which solution to use as there seems to be a number of ways to deal with this. So I thought I'd ask the more seasoned developers. What is the best method to deal with a 'Password Retrieval'
If it helps, when the user initially registers they have to provide an email address and password, which is then encrypted using salt.
I prefer to get the user to enter their email address and then:
a. Create a hash when the user submits the request and store it (which should expire after a certain amount of time - BloodyWorld).
b. The user is sent a link with that hash in.
c. They click the link which should go to a secure page on your site, you verify its valid making sure the hash you saved matches the one in the link then ask them to re-generate a password.