Hello,
I would like to ask for opinions:

I have a small Website for a game server (UO-Freeshard), with forums and misc content for the game. Login for our forums and special content is required, and the registration on our Website/Forums is also the registration for the game, and the account-name/password is also used to log into the game.

During registration 3 parameters are required: Account-Name, Password, and Email. The Email is verified, new usesr receive a link they must click on to activate their account.

So we have 3 unique values identifying an account: Account-Name, Password and Email address. To login one uses account-name and password. The Email address is not shown anywhere, so is confidential.

To trigger a password reset (lost or forgotten password), two methods are possible.
1) Simple method: User enters his/her email address and receives an Email with account-name and new password to the registered email address, IF it is the email address the user registered with.
2) User is asked to enter his/her account name AND the email address.they registered with. If both are correct, they receive an email with a new password.

I tend to the second method, because abuse is harder, the user needs to know at least the account name and the email.

Opinions?
Please keep in mind, this is a small site, and security does not need to be a credit card payment level, or anything like this. Still I wish to avoid idiots abusing this to send unrequested emails, or something like this

Thank you.