I’m sure what you are saying is right — but I’m not in anyway smarter reading it then reading the one before. You can’t just say ‘No, not true’ on Hacker News. What makes the existing options not “fairly good”?

well, the burden of proof is on selmnoo, as he made the claim that they are good enough. the default state should always be negative.

To make it easier for him (and others who agree with him), here's a simple question. Name the modules (packages, whatever) that implement password-reset functionality in:

    1. Python + Django 
    2. Node.js + whatever
    3. PHP + CakePHP/CodeIgniter/Yii

I'm not aware of any.

By "password-reset" I mean user clicks "Forgot password" and goes through some process like asking a secret question, doing catpcha test, sending a password reset link via e-mail, handling the click on the link, asking for a new password and resetting it.

P.S. Pick different frameworks if you wish.

In Django? django.contrib.auth.views.password_reset seems like it would do the job, no? If you have specific logic you need to implement, rather than using the framework's default logic, there's likely not much it can do for you.

Alternatively, there appears to be a CBV version of password resets over here that looks fairly easy to extend: https://github.com/brutasse/django-password-reset

I can't talk for node.js (although I have found that its authn/authz frameworks are lacking in general) or various PHP frameworks, but Django at the least is fairly professional.