[eluser]Xeoncross[/eluser]
That is the whole "forgotten password" setup. How it actually works is, 1) user enters username/email 2) system creates random key and key_time, 3) sends key to users email, 4) user clicks key and is sent back to site, 5) if user clicked key within key_time (15 mins?) then we confirm that this must be the user that owns the account and we now let them create a new password.
Optionally, a new password could also be created and emailed with 2) and when they click the link within the time limit that new password is activated (DX Auth).
Anyway, my site has something like this but I am still trying to figure out a way to avoid it by giving a hint in the registration email so that a user can just look back at that email without going though this trouble.