I really don't understand your logic behind this. One hour? Won't it be a kind of constrains on user? Being a user I don't like if site ask/force me to behave in this way.
Well, the time can be longer -like a day- but not longer than that. Secure registration and login is important; if the user is careless enough to forget his password, then this tiny inconvenience (and I would dispute that it is much of an inconvenience) is what he has to put up with.
And other thing is that I have seen many websites that send the password to user on his email address.How come it is insecure?
Yes, many sites do this, JavaRanch included. But from a security point of view, that sucks. Email is not a secure communication medium. People check it from public terminals and forget to log out. People use it over public WLANs that may or may not be properly secured. Or they store it and forget it until someone else finds it. In companies it is not uncommon that some colleagues have read-only access to one's email. And so on. The bottom line is: passwords don't belong in emails. Registration and password recovery links need to be time-limited for the same reason.
[ December 14, 2008: Message edited by: Ulf Dittmer ]