Is it better (more convenient or secure) to provide users with a lost username or password via direct message on Twitter rather than via email?
You don't supply lost passwords at all (mostly because you can't, because if you're doing it right you don't store passwords in plain text anyway).
You facilitate a reset-feature that allows the user to, with the help of for example a secret question or simply an activation link via email, change their password.