the logic

1 show forgot password form - email and security question
2 user submits form
3 check email and security question answer against database
4 generate a new random password
5 md5 new random pass
6 write new pass to password column in database
7 set a flag for user to change password on next login (optional)
8 send email to email address entered

done

>> needs it's own script

usually does

Security question should be captcha, or sth similar. You don't need, in my opinion, to add a real security question (with answer stored in db) for sending email with password. It's not that you send someone's password to not his email.

Regards
Michal

well, it depends what you are protecting. captcha is good to confirm it is a person, email is good to make sure it is the right account, security questions are good to ensure that the right person is accessing the right email account.

The security measures you take always depend on what you trying to protect.

The way I do things is to send an e-mail to the person with a unique url, then when this is clicked, update the password info and display the new password or send e-mail confirmation.

This can prevent someone from just entering an e-mail address and getting the password changed. Only the person who has access to the mail account can in affect, initiate the change.

dc