What you could do, fairly similar to what Bart suggested:

1. For the procedure I used a special PasswordResetRequest object which contains all the relevant information for the request.
2. Add a link or button which takes the user to a form where they can request a password reset. For this, anonymous user access is needed. You can for example add a HTML link which triggers a microflow using the deeplink module. When triggered the microflow creates a new PasswordResetRequest object and opens the form in which the reset request is submitted.
3. User submits username, email, or whichever attribute you want to match on. Once he presses the 'OK' button, a microflow is invoked which attempts to match the input to a Member object. If it is found, a reference from the PasswordResetRequest to Member object is set and a random hash is created (You can use the action from the CommunityCommons for this). This hash will be used to find the user's reset request when he attempts to confirm it. For this the deeplink module will be used, so the URL needed to to trigger the microflow handling the next step has to be generated. The link should look something like <appurl>/link/resetpassword/<hash> , where in this case 'resetpassword' is the name of the respective deeplink configuration. The link should then be mailed to the user.
4. The user then navigates to the link which has been sent to him; this causes the deeplink module to trigger a microflow which takes the supplied hash as parameter and attempts to match it to a PasswordResetRequest. (again, this deeplink configuration requires anonymous access) If found, the Member object referenced by the PasswordResetRequest is retrieved, a new random password is generated (again using the CommunityCommons java action), set for the Member and mailed tot his email address. The PasswordResetRequest is deleted after. (As it serves no use anymore)
5. User logs in with his new password.

Needed for this solution:

• Deeplink module
• Email module, from appstore or custom
• CommunityCommons module

You may also want to add a scheduled event to clean up PasswordResetRequests older than a certain amount of time. (For example a few days)

We did build such a function using Login Widget which we modified to include a forgot password hyperlink.

This hyperlink uses a Deeplink (widget) to open directly a form on a special/dedicated entity in the application.

Setting up Guest login in project settings and minimal rights to get to this form without login in.

Now let the person enter his email and handle stuff in a microflow after commit of this special entity like setting a random password and sending it by email (AppStore module).