After a thread on the webappsec mailing list, I spent some of yesterday coming up with a guide to password recovery practices for public web applications. It's still under development, of course, so any suggestions are welcome.

It's available as a PDF, and to fulfil my obligations under the GNU FDL, as LaTeX source

The kind folk at Google have also saved me some effort by caching the document as HTML.