Troy Hunt: Everything you ever wanted to know about building a secure password reset feature.
This is beyond in depth. While the article title might at first look like link bait, this author completely follows through on the claim and it’s impressive. In my experience perhaps the most lax implementation of password recovery is simply sending you your new password in plain text to your email. That’s just one of many implementations discussed in this article.