suggestion for forgot-password system

I noticed that when you make a forgot-password request on an account (not even necessarily your own account), the password gets changed immediately and emailed to your account. I'm thinking that this may get annoying if people want to, because they could keep changing your password, and you'd have to keep checking your email and resetting it.

So yeah, since the passwords are 1-way encrypted, a good method would be to use some sort of key. So it goes like this:

1. User makes a forgot password request. Enters username/email... (CAPTCHA should still be there)
2. A 16-character key (or a similarly long one of random letters & numbers) is generated and stored to the database along with the person's username.
3. A URL is emailed to the person that goes something like...
http://forums.webwiz.net/forgotpass.asp?username=USERNAME&key=KEY

When they go to that link (and have the correct username corresponding to the right key), they will be given the option to change their password or cancel the request (which deletes the entry from the database). When the password is changed using the method, the entry representing the request is also deleted from the database.

(Oh, and perhaps include the IP address that the password request was made from and send that with the email as well)

This is the system that I have on my self-service image randomizer service (also coded with ASP; password is also 1-way encrypted). I also have a sort of limit on the # of password requests that can be made on an account before it's next login (not sure if you have that here). It wasn't too hard to code, and it's been working quite well :)