Reset code should probably use some super-secret code for salting

[jsve]

Right now it seems that anyone knowing the username and email of a user, as well as the hashing algorithm, would be able to reset the password. Maybe not likely, but still...

[nyiyui]

A way to solve this would be to add more hashing algorithms, but... It's not really feasible. How about adding a "secret code" (like Google's Security Code) that users are presented with when they sign up?