another insight to pass along to others that run across the phrase

Failed to reset password - either the username/token combination is invalid, or the token has expired.

is that depending on the settings, it will NOT allow the user to reuse a previous password. if they do attempt to reuse a previous password, you know what message they get?

Failed to reset password - either the username/token combination is invalid, or the token has expired.

SO, to the user they think that the token is bad or that it just didn't allow them to reset their password and aren't realizing that they're using a same password that's been used before. Possibly it could also have to do with the banned password list block too, I haven't made a test for that specifically yet.

Myself, to hopefully help explain the issue to users, I would like to change the message to something like this:

Failed to reset password - either (1) the username/token combination is invalid, or (2) the forgot password reset link has expired, or (3) an attempt was made to reuse a previous password. Please check the username provided in the reset email and try a different, new password.

While i'm looking for that in the languages file, i'm editing for now the email that goes out so that it is also more specific:

-----------
Dear [User:DisplayName],

You have requested a Password Reset Token from [Portal:PortalName].

Please use the following link to reset your password to a new one.

Link to reset password: http://[Portal:URL]/default.aspx?ctl=PasswordReset&resetToken=[Membership:PasswordResetToken]

On this page you will enter:
Username: [User:Username]
NOTE: Please create a new, different password from one you have used before. You cannot reuse old passwords.

Sincerely,
[Portal:PortalName]

*Note: If you did not request a Password Reset Token, please disregard this Message.

Website Address: [Portal:URL]
-----------------

 I thought that by enabling these values in the web.config:

 

Original behaviour can be restored by altering your Web.config-file. Look for the "enablePasswordRetrieval"-attribute and set it to "true". Also, on the same line, alter the "passwordFormat"-attribute to "Clear" or "Encrypted"

 

 

I would get a "Retrieve password" link  on the login - allowing users to have their password emailed to them.  however, when I change the web.config as above I still just have a "reset password" button

 

Are my expectations off base?

yes, in concept it would be nice to work that way, but from what i've seen, to have everything work correctly including all of these crucial login-related actions, you must have it set to not allow retrieval in DNN 7x

otherwise, some things like login work but then other things don't work
- login by username
- forgot password request by username or email
- change password on next login
- admin user accounts edit to user password (reset)

Essentially when you start with a new site and have everything encrypted and locked down well, it's a dream to move forward with. If you have an older site that you're upgrading, once you cross over to 7x I think that you just have to change the password request/reset scenario over to reset only and then things go smoothly.

Biggest problem I have after that is explaining to the administrators that they can't "know" a user's password now, that they just click a button to send reset email.