i'm in the process of designing a webapp with a login with password section. i want to have a password retrieval option for user who have lost/forgotten...

so...what y'all think is the best, least insecure way to go about this...

1) answer "hint question" and display pwd in browser or secure browser

2) enter sign up email and auto email pwd...

3) ????

i know that these both have risks....but given users are going to forget...i have to deal with it...