Looking for best practices on password recovery

Inevitably, when we discuss “loosely coupled” approaches with educational institutions, the conversation inevitably turns to “security and authentication” issues. But really, often what is meant is “those nasty web 2.0 tools won’t single sign-on to my [monolithic, obscure] campus login system, so what are we to do?”

The last time I was in this conversation, Brian Lamb made the simple but inspired observation that a huge portion of the problems single sign-on “solves” could be more easily handled with just a simple password recovery process, and challenged the educators in the room to think about how easy it was to retrieve a lost password on their current institutionally provisioned systems (any misstatement here is my own, Brian please correct me if I got this wrong). There was widespread murmuring to the effect that he had a point.

But which raised this question – can someone point me to what the best practice is for recovering a password? Asking for username comes with one set of problems, asking for email address another. I’m sure someone’s already looked at this extensively – lazyweb, help me out! – SWL