The "Forgot password" function invents a new password and sends it by email.

This invites to misuse as guessing the userid already allows to annoy or even lock-out the legitimate account owner. (The user may currently not have access to his email account or the mail could be killed by a spam filter.)

Possible solutions could be that the old password remains valid until changed by the user himself, or a new password is only generated when the user acknowleges having received the email.