What's the best way to implement password recovery from a usability perspective?

I read the other password recovery questions on SO and it seems that most people consider sending a password recovery l开发者_开发问答ink that can be used only once and expires after a couple of days to be most secure.

Now my question, (I know it is subjective, but I am looking for input that you may have received from your users)

Is this also decently comfortable for users? and by users I mean your grandmother not you co-worker.

As a user, I like when I can pick a new password of my choice, then have an activation mail sent to me, providing a clickable link for the new password to take effect.

I do not like when a new one time password is sent to me, having me to log in and edit it in my profile.

Best of all, though, is to have OpenID login, so I don't have to keep any password at all.

What can be simpler than clicking an activation link and entering a new password?

What is the focus of your site when it comes to access control, usability or security?

If it's usability then perhaps storing passwords in plain text and allowing them to be sent to the registered email address upon request is sufficient and potentially more usable than the more secure alternative.

If security is the answer then trapdoor encoding and password reset is the better option.

Based on experience, I'd recommend the following:

1. The user fills in a "forgotten password" form which sends them an email.
2. The email contains (at least) a password reset link.
3. If they click on the link they're sent a new randomly generated password. (Mix of upper/lower alpha and numeric minus 0, o, 1, i, etc. for the sake of clarity.)

Whilst this might not be ideal from a pure usability perspective (in an ideal world you wouldn't have to have a password in the first place, let's face it), it does however attempt to ensure that you're carrying out a legitimate password reset.

Alternatively (or indeed in conjunction with the above), you could allow the user to store a simple password reminder text string that's also present in the first outbound email. (If they realise what the password is at this stage they can simply enter it rather than having to perform a reset.) I wouldn't however recommend outputting this on the web site itself, as it's liable to be too strong a clue.

From a usability perspective? If a login fails three times in a row, assume they have legitimately forgotten their password, let them in anyway and prompt for changing the password.

One of the best systems I've seen for low-security accounts, is to mail a link. No need for the user to remember site URL, username or password. The site doesn't get to know about any weaknesses the user has in managing passwords.