Which strategy is the best for recoving password. Email the user a link to create a new password, overriding the current one? or Email the user a randomly generated password, then ask them to change it?
The first one.
Create a form to get the user's email address.
If the user does not exist in your system, send an email to that address saying "someone tried to reset your password but it's not in our system".
If the user does exist in your system, create a link back to your site, and email the user that link. They click the link in the email and return to your site.
The link should look like this:
https://example.com/reset-password?email=$usersEmail&hmac=$hmacOfTheirEmail
Confirm that the email has not been tampered with by checking the HMAC.
To avoid user enumeration, return the same response from the form whether or not their email exists in your system.
Depending on your level of security...
Then force the user to change their password
Some other answers/sites recommend storing tokens in the database. Ask Mozilla how that went.
You could add some other parameters to that link such as expiry time and IP address. Make sure you include those in the HMAC too.
To prevent replay attacks, include a hash of the user's old (and forgotten) password in the link.