Seriously, most people (including me sometimes) forget that setting a new password is the best option. If you know a person very well, even a secret question wont suffice.

What you do is:

1. Login?
2. Forgot your password?
3. Send a mail with an activation key (perhaps linked to IP) to RESET the password.
4. Reset (with a hash) the password and enter a approx. 12 long string.
5. Send the password to the email together with an activation key.
6. Let the user enter the OLD password, the activation key and then once logged in (or at the activation key page) set their new password intimidate.

Most secure and common way to do it I guess.

__________________

"Life is a bitch, take that bitch on a ride"