1. Randomly generate a new password
2. Update the database
3. Send the new password
4. Force them to change the password when they login the first time with the new password.

Habtom

I went through the form that said "lost password" and it was pretty simple, then I got a pretty generic email with my original password right there.

if you get your random password first
function password(){
...

return $pass

}

Then you can set new variable to be the md5

$mdpass = md5($pass);

then you have 2 variables, 1 ($pass) for your email and the other ($mdpass) for updating the database.

If you want them to then be forced to change their password when they first log back in you could have a column in the db table called "changepass" and then in your sql statement updating the password change set this flag to 1.

You can then run a check when the user logs in to see if this is set to 1 or 0 etc.

I like that suggestion and it would seem to be the smartest, however it seems that this website www.webmasterworld.com sent me my original password.

IMO this would suggest that passwords were either being stored unencrypted or there was some simple 'encryption' being performed server-side to 'slow-down' the would be attacker?!

Certainly a secure site would not be able to send you your original password.

Recently a large UK hosting company got into a lot of trouble with supposedly storing unencrypted passwords, "to aid customer service". Someone broke in and stole the passwords!

Habtom's approach is the standard approach but again, it depends on what you are protecting.

it depends on what you are protecting

I use following (very similar to Habtom's)
1. Allow user to enter username/password/email.
2. Update the database with encrypted password
3. User activate account via email

In this way user has desired password right away.