The best way for this should be to do like PhpBB does: the new password is stored in a "new password" field, then this new pass is mailed to the user with a link with a link containing an activation code to activate that new password for the user. This means if the link is not clicked the password is not changed.

There is an other solution which is to prevent anybody to access the password recovery page, which is a simple htaccess rule.

Please tell which solution you prefer, and I may write a hack to help you ;)

What version are you running?

Preferably I'd like to have something like PHPbb2 does like you mentioned, but worse comes to worse I'll just prevent access to the lost password form.

As for the version: I'm running version 0.9.2. I noticed on the feature list of v 1.6 alpha that it does something like we were writing about above, so I'm going to try borrowing some code from that version and playing around with it.

Hambriq wrote:

As for the version: I'm running version 0.9.2. I noticed on the feature list of v 1.6 alpha that it does something like we were writing about above, so I'm going to try borrowing some code from that version and playing around with it.

Why would you want to grab code from the alpha version, when the beta version has been released;
http://b2evolution.net/news/2006/07/09/b2evolution_1_8_summer_beta_released