What is the best “forgot my password” method? [duplicate]

Answer 1

You could made a mix between #1 and #2, taking advantages from both:

Send the user an email with a link to a unique, hidden URL that allows him to change a new randomly generated password.

That page could be SSL, and the password could expire in 12-24 hours.