When user asks to reset their password, make them enter their email address
Don't indicate if that email address was valid or not (just tell them that an email was dispatched).
This is open for debate as it lowers usability (i.e. I have no idea which email I registered with) but it offers less information to people trying to gather information on which emails are actually registered on your site.
Generate a token (maybe hash a timestamp with a salt) and...
