A good analysis by Jon Duhig of a very common problem when designing web apps. The article goes through a number of common solutions to users forgetting their password (there are even more out there if you look), and arrives at a suggested ideal solution:
The best approach is to use a user-provided user experience that can prevent forgotten passwords in the first place; a password hint:
This provides an error-preventing, user-friendly approach to reduce the need for the password reseting loop. There is of course just one huge flaw; it passes the responsibility for security to the user, who is free to write completely un-secure hints like "Your wife's name followed by her birthday" or even the password itself (surely that might happen, if I know users?).
Ultimately, the solution you pick of course depends on the specifics of your app. A bank's password reset policy will rightly be a lot more involved and formal than the reset process on Reddit. The factors to keep in mind are:
- How likely it is that the user will leave forever if your password reset process is too complicated;
- How technically skilled your users are;
- How valuable access to the user account is; what harm can be done by unauthorised access;
- How high-profile your site is;
- How much time/budget you have to devote to this non-feature.
If you read this far, you should follow my RSS feed here.