Is it better when a user forgets their password to have them reset their password or to just send the lost password back to them?
It is more safe to reset the password, since a third party could intercept the mailed password.
Edit: By reset, I assume you mean the common pattern of sending the user a token which allows the user to define a new password. Obviously if you just generate a new password and send it in the mail, it is just as insecure as just sending the original password. The token should of course only be usable once, otherwise it will be just as good as a password.
Only risk here is that a third party intercepts the token and change the password before the user does. This is lower risk than sending the password, since an intercepted password will be useful as long as the password is in use, while the token will only be useful once, and you will discover if someone has used the token.
Note that the highest risk is probably not people eavesdropping on the email traffic, but rather someone looking through your mail later, or hacking into your webmail account, so it it really bad to have still-valid passwords in your mailbox.
Sending them lost password implies that you're keeping them in plain text or encrypted in two-way encryption which is not safe.
I'd suggest following Wordpress mechanism for reseting the password:
- Send a link with confirmation of password reset
- Follow confirmation link to the page which would generate random password and send it to the user
- Let user login with new password and change it to something better remembering.
You shouldn't be able to send back the password in the first place. Your best chance is to generate a random one-time-use password, and send it to the user's registered e-mail address.
You can deploy security questions (like "your first dogs name") and other mysticism, but I believe users tend to forget answers to these even more than their passwords, putting you back to square one.
Many users use the same password across many websites. To respect the people's privacy it is recommended to always store passwords one-way encrypted with hash functions like SHA-256 or MD5. But you should not use them without any additional salt, since dictionary attacks can simply be performed on those passwords. Taking care of users privacy forms the basis of a trustful relationship between you and your customers.
I also recommend the password resetting mechanism mentioned by Eimantes. The confirmation email message is the main task in this process. Always let the user confirm his password reset request to avoid fake requests lead to an inaccessible account.
Instead of computing a random password, you could forward the user to a page where he can enter a new password.
Also keep in mind that sending passwords over http without ssl is very insecure, especially in public networks like wlan hotspots. Take a look at message authentication methods like HMAC in combination with Diffie-Hellman-Key-Exchange. Or at least use an additional hash+salt function during login.