I was going to mention the security question, the reason I didn't (as you have seen today Justin) is my comments and answers sometimes (ok most of the time) get very long, detailed and complex.
For password resets we use information we need to do the reset or information already on the account. For 1 app we developed we use an email method that generates a random value then the user is emailed a link - nothing special until you consider we also generate a session ID for the user and bind their IP address to the unique URL (that is in the format of a sub-domain) to try and create some assurance that it is most likely the same user changing the password that requested it. If 1 parameter is wrong we kill the process and require a new password reset request, should this fail 3 times the account is locked, the user is emailed and the account stays this way for 3 hours or until we are contacted. If we get 4 locks in 1 month to an account the account is then locked until we're contacted by the customer and are satisfied that we're dealing with the correct person.
With this, we do have a higher than normal rate of abandoned accounts on our free services but our customers generally appreciate the added effort, plus we also have a higher than normal upgrade rate to paid services making it worthwhile as a business.
As our business is only now becoming viable we're currently developing an SMS reset method also for paid customers to take advantage of.