I *DO* agree the password reset must return. But with some restrictions. I do not think members on the website with the ability to reset passwords should be able to reset the password of a member with the same ability. I also think that there should be an email sent to the person whose password was changed saying that their password was changed, followed by the user that changed it. I also think that an email should be sent to the site owner when somebody reset someone else's password.
That would maximize security when passwords are reset by other members and possibly allow for the return of administrator password changes.
“In the end, you know it's all just blocks."