Password recovery

How does the password recovery system work in principle? I’m interested in the method where a link is sent to the mail, and the user, by clicking on the link, changes his own password. Where and how to store to be as secure as possible?

Answer 1, authority 100%

A cell with the status and time is created next to the cell where the password is stored.
1) if someone clicked on the “recover password” link, the user is sent an email containing the hash of the ID.
2) the user has followed the link. 1) if you meet the set time – we give the opportunity to change the password by setting the session time for a couple of minutes. 2) if not in time – remove the password change status.

Answer 2, authority 100%

Store the user-key-expiration pair in the database. When the user follows the link, check all the data and if everything is ok, then let you change the password. If not, then send nafig.

Answer 3, authority 100%

Next to the password field in the recovery field, for example, write the code with which the person should come. In the link to transfer soap and this code. Or login and code or ID and code (so that you can clearly indicate to whom exactly to recover the password). Next, check for a match and change the password to a random one, and send it to soap, and clear the recovery code. If the code is empty, send it away with recovery.