- I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
- If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.
Option 1 is far easier.