The system quellhorst describes does not require the user to know the password, or even their own username. They click the link in the email and they are automatically logged in; it's an alternate authentication scheme. If they have lost their password that's a separate issue that should be handled separately but similarly by emailing them a link, again with an 'embedded hash', that allows them to reset their password.
The assumption of course is that they and only they can access the email address specified in their account profile. If that's not the case then this all becomes a bit more problematic.
The assumption of course is that they and only they can access the email address specified in their account profile. If that's not the case then this all becomes a bit more problematic.