So Im planning to use phpass for hashing passwords for my authentication system in php. My question is, what is the best practice when someone requests to recover their password because they forgot it? Would you implement a question/answer system and allow them to reset it on the site? Or would you temporarily reset their password with a random password string and send it to them via email? Requiring them to change it on next login? Or is there a different, better approach?
Query/responses can be insufficient if the user chooses easily-guessed questions or if the attacker has intimate knowledge of the victim. Many high-profile sites take advantage of the information provided by the original user: an email address. Send a password reset link to the email address, and allow the user to reset the password by following the link.