What I've always done is put in functionality for the
user to receive a new random password via email. If they
forget it, they just put in their email address and their
login and password are sent. Sites implement this in any
number of ways.
Enter email address only - Just sends out a new password
to the email address.
Enter email address and answer question - When you create
an account, you include a question and answer portion. For
example, "What is your favorite color?" "Red." In order
for the new password to be set, the user has to successfully
answer the question. Most allow the user to pick their
own question.